[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does PAC Validation Require External Communication?

To: Andrew Bartlett <abartlet@samba.org>
Subject: Re: Does PAC Validation Require External Communication?
From: Michael B Allen <mba2000@ioplex.com>
Date: Mon, 14 May 2007 20:17:19 -0400
Cc: heimdal-discuss@sics.se, samba-technical@samba.org
In-Reply-To: <1179185354.2940.14.camel@localhost.localdomain>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <20070514133410.2edbb39a.mba2000@ioplex.com><1179179980.2940.6.camel@localhost.localdomain><20070514192440.de7dc236.mba2000@ioplex.com><1179185354.2940.14.camel@localhost.localdomain>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <mba2000@ioplex.com>

On Tue, 15 May 2007 09:29:14 +1000
Andrew Bartlett <abartlet@samba.org> wrote:

> > > spoof their way to any (CIFS) user via the PAC, because they could make
> > > up a fake one.  Similarly, as always with kerberos, they could change
> > > the principal in the ticket, etc. 
> > > 
> > > This can be worked around by validating the PAC to the KDC, but should
> > > be of concern to anyone who shares that keytab too broadly (eg with
> > > apache). 
> > 
> > So exploring the Apache example a little more - if Apache loaded the
> > keytab as root when it initialized and stored it in an in-memory only
> > keytab so that workers didn't really have access to it
> 
> You would need to *ensure* the workers didn't have access to it.  (ie,
> the GSSAPI authentication should go via a IPC mechanism.

Or one of the lower level Kerberos checksum verification routines. Sounds
more complicated than it's worth but definitely something to keep in mind.

Mike

Follow-Ups:
- Re: Does PAC Validation Require External Communication?
  - From: Andrew Bartlett <abartlet@samba.org>

References:
- Does PAC Validation Require External Communication?
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Does PAC Validation Require External Communication?
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Does PAC Validation Require External Communication?
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Does PAC Validation Require External Communication?
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: Does PAC Validation Require External Communication?
Next by Date: Re: Does PAC Validation Require External Communication?
Prev by thread: Re: Does PAC Validation Require External Communication?
Next by thread: Re: Does PAC Validation Require External Communication?
Index(es):
- Date
- Thread