Validating Users With Expired Passwords

[Jeffrey Hutzelman]

On Thursday, January 19, 2006 03:31:53 PM -0600 John Hascall 
<john at iastate.edu> wrote:

> If you present a correct but expired password to Kerberos
> you will get a 'password expired' error, which is different
> from the 'password incorrect' error you get if the password
> is not correct (expired or not).

Careful here.  Kerberos error messages are not authenticated, so you'll 
also get this error if an attacker decides to trick you into letting him 
set someone's password by sending you a false error message.

-- Jeff