[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does PAC Validation Require External Communication?

To: Andrew Bartlett <abartlet@samba.org>
Subject: Re: Does PAC Validation Require External Communication?
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 14 May 2007 16:04:14 -0700
Cc: heimdal-discuss@sics.se, Michael B Allen <mba2000@ioplex.com>, samba-technical@samba.org
In-Reply-To: <1179181616.2940.10.camel@localhost.localdomain>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <20070514133410.2edbb39a.mba2000@ioplex.com> <1179179980.2940.6.camel@localhost.localdomain> <D3C8CD64-B843-491B-BBBA-BC918BEB707B@jpl.nasa.gov> <1179181616.2940.10.camel@localhost.localdomain>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>


On May 14, 2007, at 3:26 PM, Andrew Bartlett wrote:

> On Mon, 2007-05-14 at 15:21 -0700, Henry B. Hotz wrote:
>> As I understand it, if you have access to the server's keytab, then
>> in principle you can forge credentials for anyone, including non-
>> existent users (but only for that server).  What you suggest would
>> prevent someone faking the PAC data in a credential, and from
>> inventing a fake user, but they could still fake the credential.
>>
>> In other words it wouldn't stop John Jones from presenting a fake
>> credential for Sam Smith that just happened to include the real PAC
>> data that Sam would have had if it were really Sam.
>
> The PAC includes another signature, with the KDC's private key.  This
> signature can validate that the service didn't fake a user to itself.

OK, good!

> Of course, if you hold the keytab for the machine account, you could
> also fake the signed and encrypted communication with the KDC to
> validate the PAC...

. . . but not perfect.  Still spoofing another live service is  
another barrier to an exploit.

References:
- Does PAC Validation Require External Communication?
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Does PAC Validation Require External Communication?
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Does PAC Validation Require External Communication?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Does PAC Validation Require External Communication?
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: Does PAC Validation Require External Communication?
Next by Date: Re: Does PAC Validation Require External Communication?
Prev by thread: Re: Does PAC Validation Require External Communication?
Next by thread: Re: Does PAC Validation Require External Communication?
Index(es):
- Date
- Thread