krb5-1.6.1 problems (on RedHat)
Russ Allbery
rra at stanford.edu
Tue Jan 13 13:40:13 EST 2009
Mike Friedman <mikef at berkeley.edu> writes:
> Now I'm having another problem with my 1.6.1 (RedHat Linux) test KDC.
> It seems that if I set the REQUIRES_PWCHANGE attribute for a principal
> and try to authenticate with an invalid password, I get back a return
> code of 31 ('decrypt integrity check failed'), instead of a 23 (password
> expired).
Hm, that seems like correct behavior to me in the presence of preauth.
Otherwise, you're leaking state about the account to a possible attacker.
> (My code depends on the RC=23 to verify that the REQUIRES_PWCHANGE
> attribute is, in fact, set. This code has been running successfully for
> years on earlier KDC versions, 1.4.2 currently, though not on Linux
> systems).
Wouldn't it be better to provide your code with an interface where it can
query that attribute directly instead of using the return code from a
failed authentication?
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list