Avoiding Pre-Auth/Auth Principal State Disclosure
Greg Hudson
ghudson at mit.edu
Wed Jul 1 15:31:54 EDT 2020
On 7/1/20 1:53 AM, Eric Hattemer wrote:
> I know pre-auth is a special case where you'd need to provide a
> plausible challenge for non-existent accounts. But is there maybe a
> setting to treat unknown principals as if they had pre-auth disabled,
> request a password, and just send back invalid password / encryption
> failed no matter what?
We don't have a setting like that. The closest nod we have in the code
to this desire is a "vague errors" setting for the KDC, which can only
be turned on at compile time (or via ptrace, I guess) and causes the KDC
to yield generic errors instead of useful ones. But that setting still
allows an attacker to easily distinguish between "client principal
requires preauth" and "client principal not found".
Because the Kerberos principal namespace isn't formally divided between
users and services, any obscurity feature would probably have some edge
cases. For example, if we treated single-component principals as users,
anyone with a user/admin principal (or user/root, which has no status in
the code but is a common convention for elevated access) would probably
still be detectable by an attacker.
More information about the Kerberos
mailing list