Implementing RBCD

Isaac Boukris iboukris at
Sun Mar 24 14:28:41 EDT 2019

Hi Greg,

On Fri, Mar 22, 2019 at 12:48 AM Greg Hudson <ghudson at> wrote:
> On 3/21/19 6:20 PM, Isaac Boukris wrote:
> > [notes: both these requirements are challenging:
> > The first would involve full decoding of the PAC, while I think it
> > could be a good idea to have it in krb5 library (for other purposes as
> > well), I only have a vague idea of what NDR decoding actually means,
> > and as far as I remember Greg was not fond of this idea in the past.
> I could be okay with this if NDR isn't too hard to decode.

I've looked a bit more, doing it properly using IDL would be an
overkill. But manual decoding seems simple enough (per MS-PAC).
Specifically, the UAC does not involve following an internal pointer
and can be reached at a fixed offset. I added a commit that shows how
we could do it for krb5 api (though we could add some sanity checks) .

There is another issue, if we want to check for sensitivity however.
To access the PAC we need to decrypt the ticket for-self, and for that
we need the keytab with long term keys (possibly including other
In GSSAPI, if the ticket for-self was obtained via gss_accept() then
we should be good, but if it is acquired via gss_impersonate(), it
seems that at no point we decrypt the ticket, and I was able in fact
to do constrained-delegation with an initiator TGT only by calling
gss_impersonate() followed by init_sec_context(). To check for
forwardable, the gss-glue code uses 'kdc_rep->enc_part2->flags'
instead of 'kdc_rep->ticket->enc_part2->flags' like the krb5 api does.

I wonder how we can go about it. Perhaps if the ticket is not
forwardable, gss_impersonate() will still issue non-proxy creds as
now, but the caller could still try to call gss_accept() and provide
for new delegated creds, then, using the keytab we check the PAC of
the for-self ticket in cache and create proxy creds if the client is
not sensitive (this is similar to what mod_auth_gssapi is currently
doing afair). Maybe if gss_impersonate() was called using GSS_C_BOTH
creds, then we could try to call gss_accept() internally as a shortcut
and avoid the need of change in the caller application.

More information about the krbdev mailing list