[30618] in Kerberos
Re: krb5-1.6.1 problems (on RedHat)
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Jan 13 13:41:27 2009
To: Mike Friedman <mikef@berkeley.edu>
In-Reply-To: <alpine.BSF.1.10.0901130955550.27061@brillig.security.berkeley.edu>
(Mike Friedman's message of "Tue\,
13 Jan 2009 10\:16\:55 -0800 \(PST\)")
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 13 Jan 2009 10:40:13 -0800
Message-ID: <87r6379hiq.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: Tom Yu <tlyu@mit.edu>, MIT Kerberos Mailing List <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Mike Friedman <mikef@berkeley.edu> writes:
> Now I'm having another problem with my 1.6.1 (RedHat Linux) test KDC.
> It seems that if I set the REQUIRES_PWCHANGE attribute for a principal
> and try to authenticate with an invalid password, I get back a return
> code of 31 ('decrypt integrity check failed'), instead of a 23 (password
> expired).
Hm, that seems like correct behavior to me in the presence of preauth.
Otherwise, you're leaking state about the account to a possible attacker.
> (My code depends on the RC=23 to verify that the REQUIRES_PWCHANGE
> attribute is, in fact, set. This code has been running successfully for
> years on earlier KDC versions, 1.4.2 currently, though not on Linux
> systems).
Wouldn't it be better to provide your code with an interface where it can
query that attribute directly instead of using the return code from a
failed authentication?
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
