Validating Users With Expired Passwords

Jeffrey Hutzelman jhutz at cmu.edu
Thu Jan 19 16:54:03 EST 2006 


On Wednesday, January 18, 2006 06:37:44 AM -0800 wiltbank at gmail.com wrote:

> In a nutshell, I need to take a username and an expired password and
> see if that truely was the users' last pasword.

You haven't said what Kerberos server you're using, so I'll assume you're 
using either the MIT or Heimdal servers.  If the server in question is a 
Microsoft server, then parts of what I'm about to say my be significantly 
different...

Most servers keep separate "last password change" and "last modified" 
timestamps for each principal.  The former refers specifically to the 
principal changing its own password (not having it changed by an admin). 
If you want this information to be correct for auditing purposes, then you 
want to submit a password change request on the user's behalf, rather than 
verifying the old password and making a change on your own authority.

Conveniently, this approach is also generally easier -- you just collect 
the username, old password, and new password, and then attempt a password 
change just as if you were the user.  If the old password they gave was 
invalid, then the request will fail.

If for some reason you feel you need to validate the password yourself, 
then you will want to do it correctly.  That means not just getting a 
ticket, but getting a ticket for a service whose secret key you know, so 
that you can verify that the ticket is legitimate.  Without this step, an 
attacker can give you any random string as the "old password", and then 
forge the response you get from the Kerberos server to make you think the 
password is valid.  Offhand, I don't know of a way to do this from Perl; 
maybe someone else here knows of a stable set of perl modules providing 
access to the Kerberos API.


> Once I'm able to
> validate the users' expired information, I already have a system in
> place that will change their password through a web-based form...  It's
> just the authentication with expired credentials that's killing.

This is likely because the KDC will not issue tickets to a principal with 
an expired password -- doing so would sort of defeat the purpose of having 
the password expire in the first place.  Once a password is expired, the 
KDC will only issue initial tickets for services which are flagged as 
password-changing services.


-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the Kerberos mailing list