On Mon, 2007-05-14 at 20:17 -0400, Michael B Allen wrote: > On Tue, 15 May 2007 09:29:14 +1000 > Andrew Bartlett <abartlet@samba.org> wrote: > > > > > spoof their way to any (CIFS) user via the PAC, because they could make > > > > up a fake one. Similarly, as always with kerberos, they could change > > > > the principal in the ticket, etc. > > > > > > > > This can be worked around by validating the PAC to the KDC, but should > > > > be of concern to anyone who shares that keytab too broadly (eg with > > > > apache). > > > > > > So exploring the Apache example a little more - if Apache loaded the > > > keytab as root when it initialized and stored it in an in-memory only > > > keytab so that workers didn't really have access to it > > > > You would need to *ensure* the workers didn't have access to it. (ie, > > the GSSAPI authentication should go via a IPC mechanism. > > Or one of the lower level Kerberos checksum verification routines. Sounds > more complicated than it's worth but definitely something to keep in mind. One of the advantages of the work that Love has done to put the PAC validation into the kerberos library is that we could potentially seperate all kerberos processing into a locked-down selinux-protected special user. Then the various system tools wanting to do kerberos would not need the long-term keys, but could still get stuff like the PAC back, validated. Likewise, I think a similar tool (achieving the same ideas as the winbind kinit integration, possibly such as kcm?) could handle all the kerberos, keeping the user's TGT away from the desktop apps. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
This is a digitally signed message part