From nobody Fri Oct 11 15:09:41 2024 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XQ95h66Rxz5Z16L for ; Fri, 11 Oct 2024 15:09:44 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta002.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XQ95h1v7vz4kT7; Fri, 11 Oct 2024 15:09:44 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id zD5SsGiJLMArNzHGxsdE3h; Fri, 11 Oct 2024 15:09:43 +0000 Received: from spqr.komquats.com ([70.66.152.170]) by cmsmtp with ESMTPSA id zHGwsRav7E0IVzHGxsnjlk; Fri, 11 Oct 2024 15:09:43 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=cI9DsUeN c=1 sm=1 tr=0 ts=67093fb7 a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17 a=kj9zAlcOel0A:10 a=DAUX931o1VcA:10 a=VxmjJ2MpAAAA:8 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=a-ROP-XayN0XAlyCTWEA:9 a=CjuIK1q_8ugA:10 a=7gXAzLPJhVmCkEl4_tsf:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id F0094102; Fri, 11 Oct 2024 08:09:41 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id C2966203; Fri, 11 Oct 2024 08:09:41 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Gleb Popov cc: freebsd-hackers Subject: Re: Why Kerberos performs account management before authentication? In-reply-to: References: Comments: In-reply-to Gleb Popov message dated "Fri, 11 Oct 2024 10:53:48 +0300." List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 11 Oct 2024 08:09:41 -0700 Message-Id: <20241011150941.C2966203@slippy.cwsent.com> X-CMAE-Envelope: MS4xfGeNXCS7yTSWzgIQ9pfwzsxcLw0NiMqqgArHj9SxMZ3KE8RtqTg4UFBSWu9wCQJlRt5dNjDRBV6vQM0rmHSG0OFBC89aNkMYfDNdGovkL0cZv1ahR6Yk soueKikE+Lem7MuXZg6pvAhhT9zt2nwb+YtSP4/WnGBNY/nQs+blaazbA+0iN6NXu43VpGesbBAivWu1HN9rWi19CTewkGSEUisR1BitHvDeV3e5gPZ6t5Zs WXO7DMUFkZHbc40h+0Z8Mw== X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] X-Rspamd-Queue-Id: 4XQ95h1v7vz4kT7 X-Spamd-Bar: ---- In message , Gleb Popov writes: > Hey hackers. > > I understand that purely Kerberos-related questions are offtopic to > this list, but there are a lot of bright people here, and I don't know > where else to ask. > > The question isn't really Kerberos-specific either, but rather a > philosophical one - should account management (as understood by PAM) > be performed strictly after successful authentication? The "account > management" term here means checking if the account is locked, > expired, or has an expired password. > > PAM answers this question with "yes" which may be checked with > login(1). If I do either > > # pw lock john > > or > > # pw -e 1 john > > or > > # pw -p 1 john > > and then try to log in with an **incorrect** password, I always get > the same "Login incorrect" reply. This means that the information of > the account's status does not leak to an unauthenticated user. > > Now playing the same game with a Kerberos server (MS AD controller, > using MIT /usr/local/bin/kinit) reveals that when the account is in > "expired" on "locked" state, this information is disclosed even if the > applicant did not provide a correct password. I just tested this on my MIT KRB5 KDC. I created a principal and expired it at 0800U (my timezone U = PDT). Here are the results: slippy$ kinit cytest cytest@CWSENT.COM's Password: kinit: Password incorrect My MIT KRB5 KDC returns password incorrect to the FreeBSD Heimdal kinit for the expired principal. slippy$ /usr/local/bin/kinit cytest Password for cytest@CWSENT.COM: kinit: Password incorrect while getting initial credentials slippy$ It also returns password incorrect to the MIT KRB5 kinit. What you're seeing is M$ A/D behavior. At $JOB our Linux and Solaris servers authenticate to A/D, with the same results. This is an A/D thing. > > I wonder if there is a rationale for this behavior and or if this is > worth caring about at all. The benefit I see for the PAM behavior is > that a bruteforce attacker will continue fruitless attempts for a > locked/expired account. > You might want to ask Microsoft this. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0