On Mon, 2007-05-14 at 15:21 -0700, Henry B. Hotz wrote: > As I understand it, if you have access to the server's keytab, then > in principle you can forge credentials for anyone, including non- > existent users (but only for that server). What you suggest would > prevent someone faking the PAC data in a credential, and from > inventing a fake user, but they could still fake the credential. > > In other words it wouldn't stop John Jones from presenting a fake > credential for Sam Smith that just happened to include the real PAC > data that Sam would have had if it were really Sam. The PAC includes another signature, with the KDC's private key. This signature can validate that the service didn't fake a user to itself. Of course, if you hold the keytab for the machine account, you could also fake the signed and encrypted communication with the KDC to validate the PAC... Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
This is a digitally signed message part