From nobody Fri Oct 11 07:53:48 2024
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XPzRG3vbtz5YShC
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Fri, 11 Oct 2024 07:54:18 +0000 (UTC)
	(envelope-from 6yearold@gmail.com)
Received: from mail-vs1-f52.google.com (mail-vs1-f52.google.com [209.85.217.52])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XPzRF56Shz4sm3
	for <freebsd-hackers@freebsd.org>; Fri, 11 Oct 2024 07:54:17 +0000 (UTC)
	(envelope-from 6yearold@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of 6yearold@gmail.com designates 209.85.217.52 as permitted sender) smtp.mailfrom=6yearold@gmail.com;
	dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none)
Received: by mail-vs1-f52.google.com with SMTP id ada2fe7eead31-4a39f7c43a6so549519137.3
        for <freebsd-hackers@freebsd.org>; Fri, 11 Oct 2024 00:54:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1728633256; x=1729238056;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=7T4a5/pXM0h0W4Ho87bmUqahxtRSUP/G76LrK5tnp1k=;
        b=joQDEJyYrMHIbyGQ2boBf04xZquaCaX00Yt7B6mk18u9bYNSKI0Kqn+ZoFI8Lc5w18
         8YFoz+f0IL/iGZaxrjYsVozeThC2dMyDHpzBavPUbOQqUiBtpn/CIGMe36mSKtUtVTcQ
         Bb+mDSwZOavR6pUSg9k0EwfYf6UXoaOF2Jr60N7nU+qpYSOXc6JzclbLExSyCbK7HjXe
         O1x0JTyM6hIe0E4EPmEKOqFuUAa1wUKdArjbndmTj2Q9e9RItHItPv3WsZaawtngtfg8
         MrQkDnKJ/jUalL/E0DmZviBSABi9oxjK4QU/8WZdvxQhDzBQjh9dLwXHzVxjYh8KStbM
         +gdw==
X-Gm-Message-State: AOJu0YwErrJFQfYokFx1K8nqnr20G/+glILvaFMYHq0lCjGRiR06MIVs
	bKTPcuBs2bAMuNEe5A6u4/QOFoRF79cBF6VToQuXBVv1jxRg2EgmWh4spryJ4RM=
X-Google-Smtp-Source: AGHT+IH4fPmEWrSspszVUGWFCmZxbUQMr7PxhEmXkj7bFtsmTrhTgCKfNaIEyLDMP8M5HGJBPX0NSQ==
X-Received: by 2002:a05:6102:c05:b0:4a3:b410:4891 with SMTP id ada2fe7eead31-4a465a9f20fmr1811275137.26.1728633256027;
        Fri, 11 Oct 2024 00:54:16 -0700 (PDT)
Received: from mail-ua1-f45.google.com (mail-ua1-f45.google.com. [209.85.222.45])
        by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-84fd338eae6sm489420241.19.2024.10.11.00.54.15
        for <freebsd-hackers@freebsd.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 11 Oct 2024 00:54:15 -0700 (PDT)
Received: by mail-ua1-f45.google.com with SMTP id a1e0cc1a2514c-84fc9005dccso518380241.3
        for <freebsd-hackers@freebsd.org>; Fri, 11 Oct 2024 00:54:15 -0700 (PDT)
X-Received: by 2002:a05:6102:c4d:b0:4a3:e1b8:cb23 with SMTP id
 ada2fe7eead31-4a4659c791cmr1843769137.13.1728633255546; Fri, 11 Oct 2024
 00:54:15 -0700 (PDT)
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@FreeBSD.org
MIME-Version: 1.0
From: Gleb Popov <arrowd@freebsd.org>
Date: Fri, 11 Oct 2024 10:53:48 +0300
X-Gmail-Original-Message-ID: <CALH631kPsbYakfANCqzCDKRKqL=gDs5qWpFp1FNn7EV++qT=Gg@mail.gmail.com>
Message-ID: <CALH631kPsbYakfANCqzCDKRKqL=gDs5qWpFp1FNn7EV++qT=Gg@mail.gmail.com>
Subject: Why Kerberos performs account management before authentication?
To: freebsd-hackers <freebsd-hackers@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-Spamd-Result: default: False [-1.87 / 15.00];
	SUBJECT_ENDS_QUESTION(1.00)[];
	NEURAL_HAM_MEDIUM(-1.00)[-0.997];
	NEURAL_HAM_LONG(-0.99)[-0.990];
	NEURAL_HAM_SHORT(-0.98)[-0.983];
	FORGED_SENDER(0.30)[arrowd@freebsd.org,6yearold@gmail.com];
	R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17];
	MIME_GOOD(-0.10)[text/plain];
	DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none];
	RCVD_TLS_LAST(0.00)[];
	TO_DN_ALL(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	MIME_TRACE(0.00)[0:+];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	ARC_NA(0.00)[];
	FROM_HAS_DN(0.00)[];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
	FROM_NEQ_ENVFROM(0.00)[arrowd@freebsd.org,6yearold@gmail.com];
	MISSING_XM_UA(0.00)[];
	R_DKIM_NA(0.00)[];
	RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.217.52:from];
	TO_DOM_EQ_FROM_DOM(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCVD_IN_DNSWL_NONE(0.00)[209.85.217.52:from,209.85.222.45:received]
X-Rspamd-Queue-Id: 4XPzRF56Shz4sm3
X-Spamd-Bar: -

Hey hackers.

I understand that purely Kerberos-related questions are offtopic to
this list, but there are a lot of bright people here, and I don't know
where else to ask.

The question isn't really Kerberos-specific either, but rather a
philosophical one - should account management (as understood by PAM)
be performed strictly after successful authentication? The "account
management" term here means checking if the account is locked,
expired, or has an expired password.

PAM answers this question with "yes" which may be checked with
login(1). If I do either

# pw lock john

or

# pw -e 1 john

or

# pw -p 1 john

and then try to log in with an **incorrect** password, I always get
the same "Login incorrect" reply. This means that the information of
the account's status does not leak to an unauthenticated user.

Now playing the same game with a Kerberos server (MS AD controller,
using MIT /usr/local/bin/kinit) reveals that when the account is in
"expired" on "locked" state, this information is disclosed even if the
applicant did not provide a correct password.

I wonder if there is a rationale for this behavior and or if this is
worth caring about at all. The benefit I see for the PAM behavior is
that a bruteforce attacker will continue fruitless attempts for a
locked/expired account.