Avoiding Pre-Auth/Auth Principal State Disclosure

[Eric Hattemer]

If you run a client like kinit and ask for a principal with 
REQUIRES_PRE_AUTH and a disabled/pw_expired/locked-out state, or request 
a principal that doesn't exist, you aren't asked for a password and get 
an immediate response with the status of the account.  Is there a way to 
avoid this behavior?  People have created hacking toolkits that try 
every possible username to download the list of usernames in the 
database and their state.

I know pre-auth is a special case where you'd need to provide a 
plausible challenge for non-existent accounts.  But is there maybe a 
setting to treat unknown principals as if they had pre-auth disabled, 
request a password, and just send back invalid password / encryption 
failed no matter what?

We were trying to implement an authentication proxy module that uses 
Kerberos, and we wanted to only disclose an account was disabled if the 
user typed in the correct password.  But the only case we could make 
work was if the account was expired (different from pw_expired).


-- 
Eric Hattemer
Engineer
Identity and Access Management