Date: Fri, 11 Oct 2024 08:09:41 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Gleb Popov <arrowd@freebsd.org> Cc: freebsd-hackers <freebsd-hackers@freebsd.org> Subject: Re: Why Kerberos performs account management before authentication? Message-ID: <20241011150941.C2966203@slippy.cwsent.com> In-Reply-To: <CALH631kPsbYakfANCqzCDKRKqL=gDs5qWpFp1FNn7EV%2B%2BqT=Gg@mail.gmail.com> References: <CALH631kPsbYakfANCqzCDKRKqL=gDs5qWpFp1FNn7EV%2B%2BqT=Gg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <CALH631kPsbYakfANCqzCDKRKqL=gDs5qWpFp1FNn7EV++qT=Gg@mail.gmail.c om> , Gleb Popov writes: > Hey hackers. > > I understand that purely Kerberos-related questions are offtopic to > this list, but there are a lot of bright people here, and I don't know > where else to ask. > > The question isn't really Kerberos-specific either, but rather a > philosophical one - should account management (as understood by PAM) > be performed strictly after successful authentication? The "account > management" term here means checking if the account is locked, > expired, or has an expired password. > > PAM answers this question with "yes" which may be checked with > login(1). If I do either > > # pw lock john > > or > > # pw -e 1 john > > or > > # pw -p 1 john > > and then try to log in with an **incorrect** password, I always get > the same "Login incorrect" reply. This means that the information of > the account's status does not leak to an unauthenticated user. > > Now playing the same game with a Kerberos server (MS AD controller, > using MIT /usr/local/bin/kinit) reveals that when the account is in > "expired" on "locked" state, this information is disclosed even if the > applicant did not provide a correct password. I just tested this on my MIT KRB5 KDC. I created a principal and expired it at 0800U (my timezone U = PDT). Here are the results: slippy$ kinit cytest cytest@CWSENT.COM's Password: kinit: Password incorrect My MIT KRB5 KDC returns password incorrect to the FreeBSD Heimdal kinit for the expired principal. slippy$ /usr/local/bin/kinit cytest Password for cytest@CWSENT.COM: kinit: Password incorrect while getting initial credentials slippy$ It also returns password incorrect to the MIT KRB5 kinit. What you're seeing is M$ A/D behavior. At $JOB our Linux and Solaris servers authenticate to A/D, with the same results. This is an A/D thing. > > I wonder if there is a rationale for this behavior and or if this is > worth caring about at all. The benefit I see for the PAM behavior is > that a bruteforce attacker will continue fruitless attempts for a > locked/expired account. > You might want to ask Microsoft this. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e^(i*pi)+1=0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20241011150941.C2966203>