[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does PAC Validation Require External Communication?

On Mon, 2007-05-14 at 19:24 -0400, Michael B Allen wrote:
> On Tue, 15 May 2007 07:59:40 +1000
> Andrew Bartlett <abartlet@samba.org> wrote:
> > On Mon, 2007-05-14 at 13:34 -0400, Michael B Allen wrote:
> > > This link claims MS' PAC verification can require communication with
> > > the DC:
> > > 
> > > http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx
> > > 
> > > Is this true? If so, services will not be able to authenticate nearly
> > > as fast as they otherwise could.
> > 
> > If you think that someone else (not root) has access to the local
> > kerberos keytab (or the machine account password), then that user could
> > spoof their way to any (CIFS) user via the PAC, because they could make
> > up a fake one.  Similarly, as always with kerberos, they could change
> > the principal in the ticket, etc. 
> > 
> > This can be worked around by validating the PAC to the KDC, but should
> > be of concern to anyone who shares that keytab too broadly (eg with
> > apache). 
> > 
> > On windows, I think a user could run a service, and unless the PAC was
> > validated with the KDC, they could use their password to fake their way
> > down to another more privileged user. 
> Hi Andrew,
> So exploring the Apache example a little more - if Apache loaded the
> keytab as root when it initialized and stored it in an in-memory only
> keytab so that workers didn't really have access to it

You would need to *ensure* the workers didn't have access to it.  (ie,
the GSSAPI authentication should go via a IPC mechanism.  Perhaps to

> , the KDC checksum
> wouldn't really need to be validated and no communication with the KDC
> would be necessary?

Correct.  As we don't talk to the KDC in Samba, this is a strict
requirement for a secure system.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

This is a digitally signed message part