Validating Users With Expired Passwords

Jeffrey Hutzelman jhutz at cmu.edu
Thu Jan 19 16:55:37 EST 2006



On Thursday, January 19, 2006 03:31:53 PM -0600 John Hascall 
<john at iastate.edu> wrote:

> If you present a correct but expired password to Kerberos
> you will get a 'password expired' error, which is different
> from the 'password incorrect' error you get if the password
> is not correct (expired or not).

Careful here.  Kerberos error messages are not authenticated, so you'll 
also get this error if an attacker decides to trick you into letting him 
set someone's password by sending you a false error message.

-- Jeff



More information about the Kerberos mailing list