Validating Users With Expired Passwords
Jeffrey Hutzelman
jhutz at cmu.edu
Thu Jan 19 18:27:32 EST 2006
On Thursday, January 19, 2006 04:35:26 PM -0600 John Hascall
<john at iastate.edu> wrote:
>
>> On Thursday, January 19, 2006 03:31:53 PM -0600 John Hascall
>> <john at iastate.edu> wrote:
>> > If you present a correct but expired password to Kerberos
>> > you will get a 'password expired' error, which is different
>> > from the 'password incorrect' error you get if the password
>> > is not correct (expired or not).
>
>> Careful here. Kerberos error messages are not authenticated, so you'll
>> also get this error if an attacker decides to trick you into letting him
>> set someone's password by sending you a false error message.
>
> True, but the correct password will be needed to use the change-password
> ticket later, so it seems at best they can dick you around a bit.
True, unless the plan later is to have an admin change the password...
-- Jeff
More information about the Kerberos
mailing list