Krb5 attempts authentication twice in case of wrong password

Roland C. Dowdeswell elric at imrryr.org
Fri Nov 9 10:39:17 EST 2018 

On Fri, Nov 09, 2018 at 12:55:53PM +0000, Manoj Unni Krishnan -X (munnikri - HCL TECHNOLOGIES LIMITED at Cisco) wrote:
>

> We are using Kerberos (version 1.9) in one of our components and
> we see for a single Kerberos authentication with wrong password,
> krb5 tries twice then fails with error:

MIT Kerberos will generally fail back to trying the master KDC if
you enter an invalid passwd.  This gives the appearance of instant
passwd changes which, I think, is a feature.  That is: if you change
your passwd, it will be changed on the master KDC.  This change
will then propagate to the various slave KDCs and this may take
time.  If a user tries to log in again with their new passwd, it
may fail.  This causes user confusion.  Failing back to the master,
though, given that it has the latest data, will allow the user to
obtain tickets.

> krb5: Received error from KDC: -1765328360/Preauthentication failed
> 
> if we have configured user account lock for 3 bad password attempts
> in Active Directory the user gets locked in 2nd attempt itself as
> krb5 would have attempted 4times.

I would not generally recommend account lockouts because the first
thing that a hacker would do upon getting into your network is to
try all of the admins passwds until they can't log in.  This would
make it quite difficult to get them out.

Account lockouts are intentionally building a DoS into your
environment.

> We had a look at the latest krb5 src code for the file get_in_tkt.c,
> could see there are lots of changes been done, But we are having
> difficulty in moving to the latest version of Kerberos, as there
> are lot of customizations done over the version  of Kerberos (1.9)
> that we are using. Hence could you please let us know whether the
> retry attempt has been fixed as part of any bug/commit we could
> port it to 1.9.

You should be able to disable this feature by failing to define a
master KDC.  Check your krb5.conf and see if you have it defined
there or look for the DNS SRV RRs _kerberos-master._udp.REALM or
_kerberos-master._tcp.REALM.

--
    Roland C. Dowdeswell                   http://Imrryr.ORG/~elric/

More information about the krbdev mailing list