Validating Users With Expired Passwords
John Hascall
john at iastate.edu
Thu Jan 19 17:35:26 EST 2006
> On Thursday, January 19, 2006 03:31:53 PM -0600 John Hascall
> <john at iastate.edu> wrote:
> > If you present a correct but expired password to Kerberos
> > you will get a 'password expired' error, which is different
> > from the 'password incorrect' error you get if the password
> > is not correct (expired or not).
> Careful here. Kerberos error messages are not authenticated, so you'll
> also get this error if an attacker decides to trick you into letting him
> set someone's password by sending you a false error message.
True, but the correct password will be needed to use the change-password
ticket later, so it seems at best they can dick you around a bit.
John
More information about the Kerberos
mailing list