Why Kerberos performs account management before authentication?

From: Gleb Popov <arrowd_at_freebsd.org>
Date: Fri, 11 Oct 2024 07:53:48 UTC
Hey hackers.

I understand that purely Kerberos-related questions are offtopic to
this list, but there are a lot of bright people here, and I don't know
where else to ask.

The question isn't really Kerberos-specific either, but rather a
philosophical one - should account management (as understood by PAM)
be performed strictly after successful authentication? The "account
management" term here means checking if the account is locked,
expired, or has an expired password.

PAM answers this question with "yes" which may be checked with
login(1). If I do either

# pw lock john

or

# pw -e 1 john

or

# pw -p 1 john

and then try to log in with an **incorrect** password, I always get
the same "Login incorrect" reply. This means that the information of
the account's status does not leak to an unauthenticated user.

Now playing the same game with a Kerberos server (MS AD controller,
using MIT /usr/local/bin/kinit) reveals that when the account is in
"expired" on "locked" state, this information is disclosed even if the
applicant did not provide a correct password.

I wonder if there is a rationale for this behavior and or if this is
worth caring about at all. The benefit I see for the PAM behavior is
that a bruteforce attacker will continue fruitless attempts for a
locked/expired account.