[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does PAC Validation Require External Communication?

On Tue, 15 May 2007 07:59:40 +1000
Andrew Bartlett <abartlet@samba.org> wrote:

> On Mon, 2007-05-14 at 13:34 -0400, Michael B Allen wrote:
> > This link claims MS' PAC verification can require communication with
> > the DC:
> > 
> > http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx
> > 
> > Is this true? If so, services will not be able to authenticate nearly
> > as fast as they otherwise could.
> If you think that someone else (not root) has access to the local
> kerberos keytab (or the machine account password), then that user could
> spoof their way to any (CIFS) user via the PAC, because they could make
> up a fake one.  Similarly, as always with kerberos, they could change
> the principal in the ticket, etc. 
> This can be worked around by validating the PAC to the KDC, but should
> be of concern to anyone who shares that keytab too broadly (eg with
> apache). 
> On windows, I think a user could run a service, and unless the PAC was
> validated with the KDC, they could use their password to fake their way
> down to another more privileged user. 

Hi Andrew,

So exploring the Apache example a little more - if Apache loaded the
keytab as root when it initialized and stored it in an in-memory only
keytab so that workers didn't really have access to it, the KDC checksum
wouldn't really need to be validated and no communication with the KDC
would be necessary?