Avoiding Pre-Auth/Auth Principal State Disclosure
Chris Hecker
checker at d6.com
Wed Jul 1 15:55:36 EDT 2020
> For example, if we treated single-component principals as users,
anyone with a user/admin principal (or user/root, which has no status in
the code but is a common convention for elevated access) would probably
still be detectable by an attacker.
Not sure I follow this, why wouldn’t they be treated like a normal princ if
we had this obscurity feature? I remember assuming vague errors would fix
this but then discovering it didn’t, which was surprising. I build my KDC
myself so I wasn’t worried about that part, I just was surprised it wasn’t
possible.
Chris
On Wed, Jul 1, 2020 at 12:39 Greg Hudson <ghudson at mit.edu> wrote:
> On 7/1/20 1:53 AM, Eric Hattemer wrote:
> > I know pre-auth is a special case where you'd need to provide a
> > plausible challenge for non-existent accounts. But is there maybe a
> > setting to treat unknown principals as if they had pre-auth disabled,
> > request a password, and just send back invalid password / encryption
> > failed no matter what?
>
> We don't have a setting like that. The closest nod we have in the code
> to this desire is a "vague errors" setting for the KDC, which can only
> be turned on at compile time (or via ptrace, I guess) and causes the KDC
> to yield generic errors instead of useful ones. But that setting still
> allows an attacker to easily distinguish between "client principal
> requires preauth" and "client principal not found".
>
> Because the Kerberos principal namespace isn't formally divided between
> users and services, any obscurity feature would probably have some edge
> cases. For example, if we treated single-component principals as users,
> anyone with a user/admin principal (or user/root, which has no status in
> the code but is a common convention for elevated access) would probably
> still be detectable by an attacker.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list