Avoiding Pre-Auth/Auth Principal State Disclosure
Eric Hattemer
ehatteme at usc.edu
Wed Jul 1 01:53:44 EDT 2020
If you run a client like kinit and ask for a principal with
REQUIRES_PRE_AUTH and a disabled/pw_expired/locked-out state, or request
a principal that doesn't exist, you aren't asked for a password and get
an immediate response with the status of the account. Is there a way to
avoid this behavior? People have created hacking toolkits that try
every possible username to download the list of usernames in the
database and their state.
I know pre-auth is a special case where you'd need to provide a
plausible challenge for non-existent accounts. But is there maybe a
setting to treat unknown principals as if they had pre-auth disabled,
request a password, and just send back invalid password / encryption
failed no matter what?
We were trying to implement an authentication proxy module that uses
Kerberos, and we wanted to only disclose an account was disabled if the
user typed in the correct password. But the only case we could make
work was if the account was expired (different from pw_expired).
--
Eric Hattemer
Engineer
Identity and Access Management
More information about the Kerberos
mailing list