AD-SIGNEDPATH and cross-realm

ghudson@MIT.EDU ghudson at MIT.EDU
Wed Feb 3 23:13:43 EST 2010

Heimdal created an authdata element called AD-SIGNEDPATH to allow
S4U2Proxy without PACs.  It contains a checksum made with the TGS key,
and verifies that the user->service ticket in the additional ticket
field was created by the KDC and not printed by the service.  Luke
implemented this for krb5 1.8 but there are a few subtleties:

* If we are returning a cross-realm TGT, then it will next be
  presented to a different KDC, so there is no point in including an
  AD-SIGNEDPATH in that case.  Heimdal has this check; we have it but
  it was buggy (we were checking for cross-realm clients instead).  I
  have a fix coded up and tested for this problem, so it's taken care

* If AD-SIGNEDPATH is present in the ticket and checksum verification
  fails, we reject the TGS request even if we would have accepted the
  ticket without AD-SIGNEDPATH at all (i.e. it's not an S4U2Proxy
  request).  I'm pretty sure we want to be more like Heimdal, and
  merely disallow the ticket as an S4U2Proxy subject ticket if
  verification fails.  I am likely to make this change.

* If AD-SIGNEDPATH is contained within a cross-realm TGT, then we have
  pretty good reason to believe that it was checksummed with a
  different key and should be ignored.  I'm debating whether we want
  to add that check, or just let signature verification fail in light
  of the second point.

More information about the krbdev mailing list