Perl question

Mike Friedman mikef at ack.Berkeley.EDU
Thu Sep 22 13:09:24 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 22 Sep 2005 at 11:36 (-0500), Digant C Kasundra wrote:

> I'm trying to find a way to authenticate a username and password pair 
> regardless of whether the password is expired or not.  When using 
> Authen::Krb5, if an accounts pw is expired, regardless of the password I 
> use to try to get a ticket, it will give me the error that the password 
> is expired.  How can I verify the username and password?

Digant,

I use the MIT K5 API, rather than the perl Authen::Krb5 module, but I've 
had to deal with the same issue.

What I do is this:  instead of requesting an initial credential for the 
user, I request a credential - on behalf of the user - for a special 
service principal that I've registered in my KDC.  That principal is 
defined with the PWCHANGE_SERVICE attribute, so that the return code for 
an invalid password is not sent for an expired password.  (In fact, that's 
the attribute set for the 'kadmin/changepw' principal used by kpasswd, 
which is why kpasswd doesn't have the problem you describe).

I might also mention that if you're doing 'proxy' Kerberos authentication 
(i.e., on behalf of another user), it's not really enough just to get a 
credential for the user.  You should also use the received and 'verified' 
TGT to obtain a service credential for a principal whose keytab entry 
you've installed and which you use to verify that credential. This is to 
protect yourself against a possibly spoofed KDC sending you back bogus 
AS_REPs in support of an impersonator (i.e., 'vouching' for the 
impersonator-supplied password as belonging to the victim user).  In my 
case, in fact, I use the same service principal mentioned above for this 
purpose as well.

Mike

_____________________________________________________________________
Mike Friedman                   System and Network Security
mikef at ack.Berkeley.EDU          2484 Shattuck Avenue
1-510-642-1410                  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_____________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQzLlSK0bf1iNr4mCEQIbXQCg/NYFQ5fHRa11rhCpJnYg43gVMsQAn1VT
Eo59UApBx401s18PM2lHRuj6
=w0ML
-----END PGP SIGNATURE-----


More information about the Kerberos mailing list