Does PAC Validation Require External Communication?
Michael B Allen
mba2000 at ioplex.com
Tue May 15 02:05:12 GMT 2007
On Tue, 15 May 2007 11:27:48 +1000
Andrew Bartlett <abartlet at samba.org> wrote:
> On Mon, 2007-05-14 at 20:17 -0400, Michael B Allen wrote:
> > On Tue, 15 May 2007 09:29:14 +1000
> > Andrew Bartlett <abartlet at samba.org> wrote:
> >
> > > > > spoof their way to any (CIFS) user via the PAC, because they could make
> > > > > up a fake one. Similarly, as always with kerberos, they could change
> > > > > the principal in the ticket, etc.
> > > > >
> > > > > This can be worked around by validating the PAC to the KDC, but should
> > > > > be of concern to anyone who shares that keytab too broadly (eg with
> > > > > apache).
> > > >
> > > > So exploring the Apache example a little more - if Apache loaded the
> > > > keytab as root when it initialized and stored it in an in-memory only
> > > > keytab so that workers didn't really have access to it
> > >
> > > You would need to *ensure* the workers didn't have access to it. (ie,
> > > the GSSAPI authentication should go via a IPC mechanism.
> >
> > Or one of the lower level Kerberos checksum verification routines. Sounds
> > more complicated than it's worth but definitely something to keep in mind.
>
> One of the advantages of the work that Love has done to put the PAC
> validation into the kerberos library is that we could potentially
> seperate all kerberos processing into a locked-down selinux-protected
> special user. Then the various system tools wanting to do kerberos
> would not need the long-term keys, but could still get stuff like the
> PAC back, validated.
>
> Likewise, I think a similar tool (achieving the same ideas as the
> winbind kinit integration, possibly such as kcm?) could handle all the
> kerberos, keeping the user's TGT away from the desktop apps.
Just in case Love suddenly get's inspired by all of this - rather than
requiring a specific process model, I would like to see just a socket
descriptor and a function to process the server side so that I can use
it with existing muxer code. I don't want to crap up my process table
with daemons. Also, the IPC should be well defined and simple so that
I can go that low if I want.
Mike
More information about the samba-technical
mailing list