[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does PAC Validation Require External Communication?

On Mon, 2007-05-14 at 20:17 -0400, Michael B Allen wrote:
> On Tue, 15 May 2007 09:29:14 +1000
> Andrew Bartlett <abartlet@samba.org> wrote:
> > > > spoof their way to any (CIFS) user via the PAC, because they could make
> > > > up a fake one.  Similarly, as always with kerberos, they could change
> > > > the principal in the ticket, etc. 
> > > > 
> > > > This can be worked around by validating the PAC to the KDC, but should
> > > > be of concern to anyone who shares that keytab too broadly (eg with
> > > > apache). 
> > > 
> > > So exploring the Apache example a little more - if Apache loaded the
> > > keytab as root when it initialized and stored it in an in-memory only
> > > keytab so that workers didn't really have access to it
> > 
> > You would need to *ensure* the workers didn't have access to it.  (ie,
> > the GSSAPI authentication should go via a IPC mechanism.
> Or one of the lower level Kerberos checksum verification routines. Sounds
> more complicated than it's worth but definitely something to keep in mind.

One of the advantages of the work that Love has done to put the PAC
validation into the kerberos library is that we could potentially
seperate all kerberos processing into a locked-down selinux-protected
special user.  Then the various system tools wanting to do kerberos
would not need the long-term keys, but could still get stuff like the
PAC back, validated.

Likewise, I think a similar tool (achieving the same ideas as the
winbind kinit integration, possibly such as kcm?) could handle all the
kerberos, keeping the user's TGT away from the desktop apps. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

This is a digitally signed message part