Validating Users With Expired Passwords
Jeffrey Hutzelman
jhutz at cmu.edu
Thu Jan 19 16:54:03 EST 2006
On Wednesday, January 18, 2006 06:37:44 AM -0800 wiltbank at gmail.com wrote:
> In a nutshell, I need to take a username and an expired password and
> see if that truely was the users' last pasword.
You haven't said what Kerberos server you're using, so I'll assume you're
using either the MIT or Heimdal servers. If the server in question is a
Microsoft server, then parts of what I'm about to say my be significantly
different...
Most servers keep separate "last password change" and "last modified"
timestamps for each principal. The former refers specifically to the
principal changing its own password (not having it changed by an admin).
If you want this information to be correct for auditing purposes, then you
want to submit a password change request on the user's behalf, rather than
verifying the old password and making a change on your own authority.
Conveniently, this approach is also generally easier -- you just collect
the username, old password, and new password, and then attempt a password
change just as if you were the user. If the old password they gave was
invalid, then the request will fail.
If for some reason you feel you need to validate the password yourself,
then you will want to do it correctly. That means not just getting a
ticket, but getting a ticket for a service whose secret key you know, so
that you can verify that the ticket is legitimate. Without this step, an
attacker can give you any random string as the "old password", and then
forge the response you get from the Kerberos server to make you think the
password is valid. Offhand, I don't know of a way to do this from Perl;
maybe someone else here knows of a stable set of perl modules providing
access to the Kerberos API.
> Once I'm able to
> validate the users' expired information, I already have a system in
> place that will change their password through a web-based form... It's
> just the authentication with expired credentials that's killing.
This is likely because the KDC will not issue tickets to a principal with
an expired password -- doing so would sort of defeat the purpose of having
the password expire in the first place. Once a password is expired, the
KDC will only issue initial tickets for services which are flagged as
password-changing services.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list