CLIENT_NOT_FOUND reply to kinit a security vulnerability?

Marcus Watts mdw at umich.edu
Mon Jun 20 14:52:15 EDT 2011 

> Date:    Sat, 18 Jun 2011 01:29:38 PDT
> To:      kerberos at mit.edu
> From:    checker <checker at d6.com>
> Subject: CLIENT_NOT_FOUND reply to kinit a security vulnerability?
> 
> Hi, I'm new to using Kerberos and I'm definitely not a security expert, and I t
> ried searching for this but it's pretty difficult since most of the hits are ab
> out people trying to get Kerberos working, so here goes...
> 
> If I do "kinit notauser" to my KDC, it replies instantly with:
> 
> > kinit: Client not found in Kerberos database while getting initial credential
> s
> 
> If I "kinit realuser" then it replies by asking for the password as expected.
> 
> Doesn't this allow somebody to probe the KDC to find valid user names, which se
> ems like a vulnerability?  Other programs like SSH don't give any information a
> way on bad usernames so you can't probe for valid ones.  I thought this was a s
> ecurity best-practice, so I was suprised to find Kerberos doesn't do this.  Or,
>  is there a setting somewhere?  Or, am I missing something?
> 
> Thanks,
> Chris
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

The "hide all information" paradigm comes from an era when machines were
tiny 10-user "department" machines attached to slow telephone lines.
There's a classic paper from the Bell Labs folks that talks about this
for Unix.

Kerberos is typically deployed at larger institutions, where user names
are frequently discoverable in many other ways.  "Hiding information" has
much less value here.  On the other hand, support costs are much greater;
at most institutions, trivial login problems are one of the more expensive
user support issues.  Providing "your account doesn't exist" information
reduces those support costs, with little if any real decrease in security.

I think there's still a build time issue to obscure useful information
if you still believe it has security value for your environment.

				-Marcus Watts

More information about the Kerberos mailing list