Perl question
Mike Friedman
mikef at ack.Berkeley.EDU
Thu Sep 22 13:09:24 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 22 Sep 2005 at 11:36 (-0500), Digant C Kasundra wrote:
> I'm trying to find a way to authenticate a username and password pair
> regardless of whether the password is expired or not. When using
> Authen::Krb5, if an accounts pw is expired, regardless of the password I
> use to try to get a ticket, it will give me the error that the password
> is expired. How can I verify the username and password?
Digant,
I use the MIT K5 API, rather than the perl Authen::Krb5 module, but I've
had to deal with the same issue.
What I do is this: instead of requesting an initial credential for the
user, I request a credential - on behalf of the user - for a special
service principal that I've registered in my KDC. That principal is
defined with the PWCHANGE_SERVICE attribute, so that the return code for
an invalid password is not sent for an expired password. (In fact, that's
the attribute set for the 'kadmin/changepw' principal used by kpasswd,
which is why kpasswd doesn't have the problem you describe).
I might also mention that if you're doing 'proxy' Kerberos authentication
(i.e., on behalf of another user), it's not really enough just to get a
credential for the user. You should also use the received and 'verified'
TGT to obtain a service credential for a principal whose keytab entry
you've installed and which you use to verify that credential. This is to
protect yourself against a possibly spoofed KDC sending you back bogus
AS_REPs in support of an impersonator (i.e., 'vouching' for the
impersonator-supplied password as belonging to the victim user). In my
case, in fact, I use the same service principal mentioned above for this
purpose as well.
Mike
_____________________________________________________________________
Mike Friedman System and Network Security
mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
_____________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBQzLlSK0bf1iNr4mCEQIbXQCg/NYFQ5fHRa11rhCpJnYg43gVMsQAn1VT
Eo59UApBx401s18PM2lHRuj6
=w0ML
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list