[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does PAC Validation Require External Communication?

On Mon, 2007-05-14 at 15:21 -0700, Henry B. Hotz wrote:
> As I understand it, if you have access to the server's keytab, then  
> in principle you can forge credentials for anyone, including non- 
> existent users (but only for that server).  What you suggest would  
> prevent someone faking the PAC data in a credential, and from  
> inventing a fake user, but they could still fake the credential.
> In other words it wouldn't stop John Jones from presenting a fake  
> credential for Sam Smith that just happened to include the real PAC  
> data that Sam would have had if it were really Sam.

The PAC includes another signature, with the KDC's private key.  This
signature can validate that the service didn't fake a user to itself.

Of course, if you hold the keytab for the machine account, you could
also fake the signed and encrypted communication with the KDC to
validate the PAC...

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

This is a digitally signed message part