>Hi, we have a required to detect if a client is using same incorrect >password in in authentication against KDC. Is it possible the KDC >server can determine if client is using same incorrect password? Thanks
Ouch, is this some dang compliance requirement? I thought I had dealt with SO MANY weird compliance issues, but that's a new one to me. I'm interested in where this is coming from. If I understand you, it seems like you mean that a single client is repeating the same incorrect pasword over and over. If you mean that different clients are trying to use the the same incorrect password, I don't believe that's possible (nor do I understand why that would be a requirement). Upon further thought, this seems like a completely ridiculous requirement and I cannot imagine why anyone would ask for it. I _think_, in theory ... my first guess as to what you mean is possible. But it won't be trivial. I believe you could accomplish this by using encryped timestamp preauth, detecting when a wrong password is seen, remembering that on the KDC, and then sending the same encrypted timestamp back to the client upon further password requests and detecting if the response was the same. That would be a lot of code and have issues if the requests went to different KDCs. It's very possible I could be wrong about that. And again, that only works with requests from the SAME client due to password salting. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
