[38783] in Kerberos
Re: Avoiding Pre-Auth/Auth Principal State Disclosure
daemon@ATHENA.MIT.EDU (Chris Hecker)
Wed Jul 1 02:58:37 2020
MIME-Version: 1.0
In-Reply-To: <e7075d39-df65-39ff-9389-432d38d0059f@usc.edu>
From: Chris Hecker <checker@d6.com>
Date: Tue, 30 Jun 2020 23:55:52 -0700
Message-ID: <CAOdMLc2koDuuBW+98Ssa3gnnMPRh8QwxZ8k6kD1bhnXPg4x9bQ@mail.gmail.com>
To: Eric Hattemer <ehatteme@usc.edu>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
There are actually a bunch of places that leak information about valid
princs, I wonder if there’s a todo item to clean those up at some point? I
can’t remember the one or two I found since it was a while ago but I posted
it to the list as well.
Chris
On Tue, Jun 30, 2020 at 23:01 Eric Hattemer <ehatteme@usc.edu> wrote:
> If you run a client like kinit and ask for a principal with
> REQUIRES_PRE_AUTH and a disabled/pw_expired/locked-out state, or request
> a principal that doesn't exist, you aren't asked for a password and get
> an immediate response with the status of the account. Is there a way to
> avoid this behavior? People have created hacking toolkits that try
> every possible username to download the list of usernames in the
> database and their state.
>
> I know pre-auth is a special case where you'd need to provide a
> plausible challenge for non-existent accounts. But is there maybe a
> setting to treat unknown principals as if they had pre-auth disabled,
> request a password, and just send back invalid password / encryption
> failed no matter what?
>
> We were trying to implement an authentication proxy module that uses
> Kerberos, and we wanted to only disclose an account was disabled if the
> user typed in the correct password. But the only case we could make
> work was if the account was expired (different from pw_expired).
>
>
> --
> Eric Hattemer
> Engineer
> Identity and Access Management
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
