CLIENT_NOT_FOUND reply to kinit a security vulnerability?
checker
checker at d6.com
Sat Jun 18 04:29:38 EDT 2011
Hi, I'm new to using Kerberos and I'm definitely not a security expert, and I tried searching for this but it's pretty difficult since most of the hits are about people trying to get Kerberos working, so here goes...
If I do "kinit notauser" to my KDC, it replies instantly with:
> kinit: Client not found in Kerberos database while getting initial credentials
If I "kinit realuser" then it replies by asking for the password as expected.
Doesn't this allow somebody to probe the KDC to find valid user names, which seems like a vulnerability? Other programs like SSH don't give any information away on bad usernames so you can't probe for valid ones. I thought this was a security best-practice, so I was suprised to find Kerberos doesn't do this. Or, is there a setting somewhere? Or, am I missing something?
Thanks,
Chris
More information about the Kerberos
mailing list