AD-SIGNEDPATH and cross-realm
ghudson@MIT.EDU
ghudson at MIT.EDU
Wed Feb 3 23:13:43 EST 2010
Heimdal created an authdata element called AD-SIGNEDPATH to allow
S4U2Proxy without PACs. It contains a checksum made with the TGS key,
and verifies that the user->service ticket in the additional ticket
field was created by the KDC and not printed by the service. Luke
implemented this for krb5 1.8 but there are a few subtleties:
* If we are returning a cross-realm TGT, then it will next be
presented to a different KDC, so there is no point in including an
AD-SIGNEDPATH in that case. Heimdal has this check; we have it but
it was buggy (we were checking for cross-realm clients instead). I
have a fix coded up and tested for this problem, so it's taken care
of.
* If AD-SIGNEDPATH is present in the ticket and checksum verification
fails, we reject the TGS request even if we would have accepted the
ticket without AD-SIGNEDPATH at all (i.e. it's not an S4U2Proxy
request). I'm pretty sure we want to be more like Heimdal, and
merely disallow the ticket as an S4U2Proxy subject ticket if
verification fails. I am likely to make this change.
* If AD-SIGNEDPATH is contained within a cross-realm TGT, then we have
pretty good reason to believe that it was checksummed with a
different key and should be ignored. I'm debating whether we want
to add that check, or just let signature verification fail in light
of the second point.
More information about the krbdev
mailing list