Why Kerberos performs account management before authentication?
Date: Fri, 11 Oct 2024 07:53:48 UTC
Hey hackers. I understand that purely Kerberos-related questions are offtopic to this list, but there are a lot of bright people here, and I don't know where else to ask. The question isn't really Kerberos-specific either, but rather a philosophical one - should account management (as understood by PAM) be performed strictly after successful authentication? The "account management" term here means checking if the account is locked, expired, or has an expired password. PAM answers this question with "yes" which may be checked with login(1). If I do either # pw lock john or # pw -e 1 john or # pw -p 1 john and then try to log in with an **incorrect** password, I always get the same "Login incorrect" reply. This means that the information of the account's status does not leak to an unauthenticated user. Now playing the same game with a Kerberos server (MS AD controller, using MIT /usr/local/bin/kinit) reveals that when the account is in "expired" on "locked" state, this information is disclosed even if the applicant did not provide a correct password. I wonder if there is a rationale for this behavior and or if this is worth caring about at all. The benefit I see for the PAM behavior is that a bruteforce attacker will continue fruitless attempts for a locked/expired account.