Re: Why Kerberos performs account management before authentication?

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Fri, 11 Oct 2024 15:09:41 UTC
In message <CALH631kPsbYakfANCqzCDKRKqL=gDs5qWpFp1FNn7EV++qT=Gg@mail.gmail.c
om>
, Gleb Popov writes:
> Hey hackers.
>
> I understand that purely Kerberos-related questions are offtopic to
> this list, but there are a lot of bright people here, and I don't know
> where else to ask.
>
> The question isn't really Kerberos-specific either, but rather a
> philosophical one - should account management (as understood by PAM)
> be performed strictly after successful authentication? The "account
> management" term here means checking if the account is locked,
> expired, or has an expired password.
>
> PAM answers this question with "yes" which may be checked with
> login(1). If I do either
>
> # pw lock john
>
> or
>
> # pw -e 1 john
>
> or
>
> # pw -p 1 john
>
> and then try to log in with an **incorrect** password, I always get
> the same "Login incorrect" reply. This means that the information of
> the account's status does not leak to an unauthenticated user.
>
> Now playing the same game with a Kerberos server (MS AD controller,
> using MIT /usr/local/bin/kinit) reveals that when the account is in
> "expired" on "locked" state, this information is disclosed even if the
> applicant did not provide a correct password.

I just tested this on my MIT KRB5 KDC. I created a principal and expired it 
at 0800U (my timezone U = PDT). Here are the results:

slippy$ kinit cytest
cytest@CWSENT.COM's Password: 
kinit: Password incorrect

My MIT KRB5 KDC returns password incorrect to the FreeBSD Heimdal kinit for 
the expired principal.

slippy$ /usr/local/bin/kinit cytest
Password for cytest@CWSENT.COM: 
kinit: Password incorrect while getting initial credentials
slippy$ 

It also returns password incorrect to the MIT KRB5 kinit.

What you're seeing is M$ A/D behavior.

At $JOB our Linux and Solaris servers authenticate to A/D, with the same 
results. This is an A/D thing.


>
> I wonder if there is a rationale for this behavior and or if this is
> worth caring about at all. The benefit I see for the PAM behavior is
> that a bruteforce attacker will continue fruitless attempts for a
> locked/expired account.
>

You might want to ask Microsoft this.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0