If you run a client like kinit and ask for a principal with REQUIRES_PRE_AUTH and a disabled/pw_expired/locked-out state, or request a principal that doesn't exist, you aren't asked for a password and get an immediate response with the status of the account. Is there a way to avoid this behavior? People have created hacking toolkits that try every possible username to download the list of usernames in the database and their state.
I know pre-auth is a special case where you'd need to provide a plausible challenge for non-existent accounts. But is there maybe a setting to treat unknown principals as if they had pre-auth disabled, request a password, and just send back invalid password / encryption failed no matter what? We were trying to implement an authentication proxy module that uses Kerberos, and we wanted to only disclose an account was disabled if the user typed in the correct password. But the only case we could make work was if the account was expired (different from pw_expired). -- Eric Hattemer Engineer Identity and Access Management ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
