Perl question

Digant C Kasundra digant at uta.edu
Thu Sep 22 13:46:48 EDT 2005 

Ah, that work.  I tried to get a ticket for kadmin/changepw instead of a
TGT for the realm.  Thanks for the lead!

-- DK

On Thu, 2005-09-22 at 10:09 -0700, Mike Friedman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thu, 22 Sep 2005 at 11:36 (-0500), Digant C Kasundra wrote:
> 
> > I'm trying to find a way to authenticate a username and password pair 
> > regardless of whether the password is expired or not.  When using 
> > Authen::Krb5, if an accounts pw is expired, regardless of the password I 
> > use to try to get a ticket, it will give me the error that the password 
> > is expired.  How can I verify the username and password?
> 
> Digant,
> 
> I use the MIT K5 API, rather than the perl Authen::Krb5 module, but I've 
> had to deal with the same issue.
> 
> What I do is this:  instead of requesting an initial credential for the 
> user, I request a credential - on behalf of the user - for a special 
> service principal that I've registered in my KDC.  That principal is 
> defined with the PWCHANGE_SERVICE attribute, so that the return code for 
> an invalid password is not sent for an expired password.  (In fact, that's 
> the attribute set for the 'kadmin/changepw' principal used by kpasswd, 
> which is why kpasswd doesn't have the problem you describe).
> 
> I might also mention that if you're doing 'proxy' Kerberos authentication 
> (i.e., on behalf of another user), it's not really enough just to get a 
> credential for the user.  You should also use the received and 'verified' 
> TGT to obtain a service credential for a principal whose keytab entry 
> you've installed and which you use to verify that credential. This is to 
> protect yourself against a possibly spoofed KDC sending you back bogus 
> AS_REPs in support of an impersonator (i.e., 'vouching' for the 
> impersonator-supplied password as belonging to the victim user).  In my 
> case, in fact, I use the same service principal mentioned above for this 
> purpose as well.
> 
> Mike
> 
> _____________________________________________________________________
> Mike Friedman                   System and Network Security
> mikef at ack.Berkeley.EDU          2484 Shattuck Avenue
> 1-510-642-1410                  University of California at Berkeley
> http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
> _____________________________________________________________________
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> 
> iQA/AwUBQzLlSK0bf1iNr4mCEQIbXQCg/NYFQ5fHRa11rhCpJnYg43gVMsQAn1VT
> Eo59UApBx401s18PM2lHRuj6
> =w0ML
> -----END PGP SIGNATURE-----

More information about the Kerberos mailing list