There are actually a bunch of places that leak information about valid princs, I wonder if there’s a todo item to clean those up at some point? I can’t remember the one or two I found since it was a while ago but I posted it to the list as well.
Chris On Tue, Jun 30, 2020 at 23:01 Eric Hattemer <ehatt...@usc.edu> wrote: > If you run a client like kinit and ask for a principal with > REQUIRES_PRE_AUTH and a disabled/pw_expired/locked-out state, or request > a principal that doesn't exist, you aren't asked for a password and get > an immediate response with the status of the account. Is there a way to > avoid this behavior? People have created hacking toolkits that try > every possible username to download the list of usernames in the > database and their state. > > I know pre-auth is a special case where you'd need to provide a > plausible challenge for non-existent accounts. But is there maybe a > setting to treat unknown principals as if they had pre-auth disabled, > request a password, and just send back invalid password / encryption > failed no matter what? > > We were trying to implement an authentication proxy module that uses > Kerberos, and we wanted to only disclose an account was disabled if the > user typed in the correct password. But the only case we could make > work was if the account was expired (different from pw_expired). > > > -- > Eric Hattemer > Engineer > Identity and Access Management > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
