Avoiding Pre-Auth/Auth Principal State Disclosure

Chris Hecker checker at d6.com
Wed Jul 1 02:55:52 EDT 2020


There are actually a bunch of places that leak information about valid
princs, I wonder if there’s a todo item to clean those up at some point?  I
can’t remember the one or two I found since it was a while ago but I posted
it to the list as well.

Chris


On Tue, Jun 30, 2020 at 23:01 Eric Hattemer <ehatteme at usc.edu> wrote:

> If you run a client like kinit and ask for a principal with
> REQUIRES_PRE_AUTH and a disabled/pw_expired/locked-out state, or request
> a principal that doesn't exist, you aren't asked for a password and get
> an immediate response with the status of the account.  Is there a way to
> avoid this behavior?  People have created hacking toolkits that try
> every possible username to download the list of usernames in the
> database and their state.
>
> I know pre-auth is a special case where you'd need to provide a
> plausible challenge for non-existent accounts.  But is there maybe a
> setting to treat unknown principals as if they had pre-auth disabled,
> request a password, and just send back invalid password / encryption
> failed no matter what?
>
> We were trying to implement an authentication proxy module that uses
> Kerberos, and we wanted to only disclose an account was disabled if the
> user typed in the correct password.  But the only case we could make
> work was if the account was expired (different from pw_expired).
>
>
> --
> Eric Hattemer
> Engineer
> Identity and Access Management
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


More information about the Kerberos mailing list