Re: Perl question
- From: digant@xxxxxxx (Digant C Kasundra)
- Date: Thu, 22 Sep 2005 12:46:48 -0500
Ah, that work. I tried to get a ticket for kadmin/changepw instead of a
TGT for the realm. Thanks for the lead!
-- DK
On Thu, 2005-09-22 at 10:09 -0700, Mike Friedman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, 22 Sep 2005 at 11:36 (-0500), Digant C Kasundra wrote:
>
> > I'm trying to find a way to authenticate a username and password pair
> > regardless of whether the password is expired or not. When using
> > Authen::Krb5, if an accounts pw is expired, regardless of the password I
> > use to try to get a ticket, it will give me the error that the password
> > is expired. How can I verify the username and password?
>
> Digant,
>
> I use the MIT K5 API, rather than the perl Authen::Krb5 module, but I've
> had to deal with the same issue.
>
> What I do is this: instead of requesting an initial credential for the
> user, I request a credential - on behalf of the user - for a special
> service principal that I've registered in my KDC. That principal is
> defined with the PWCHANGE_SERVICE attribute, so that the return code for
> an invalid password is not sent for an expired password. (In fact, that's
> the attribute set for the 'kadmin/changepw' principal used by kpasswd,
> which is why kpasswd doesn't have the problem you describe).
>
> I might also mention that if you're doing 'proxy' Kerberos authentication
> (i.e., on behalf of another user), it's not really enough just to get a
> credential for the user. You should also use the received and 'verified'
> TGT to obtain a service credential for a principal whose keytab entry
> you've installed and which you use to verify that credential. This is to
> protect yourself against a possibly spoofed KDC sending you back bogus
> AS_REPs in support of an impersonator (i.e., 'vouching' for the
> impersonator-supplied password as belonging to the victim user). In my
> case, in fact, I use the same service principal mentioned above for this
> purpose as well.
>
> Mike
>
> _____________________________________________________________________
> Mike Friedman System and Network Security
> mikef@xxxxxxxxxxxxxxxx 2484 Shattuck Avenue
> 1-510-642-1410 University of California at Berkeley
> http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
> _____________________________________________________________________
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQA/AwUBQzLlSK0bf1iNr4mCEQIbXQCg/NYFQ5fHRa11rhCpJnYg43gVMsQAn1VT
> Eo59UApBx401s18PM2lHRuj6
> =w0ML
> -----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
.
- Follow-Ups:
- Re: Perl question
- From: Tom Yu
- Re: Perl question
- References:
- Perl question
- From: Digant C Kasundra
- Re: Perl question
- From: Mike Friedman
- Perl question
- Prev by Date: Re: Perl question
- Next by Date: Re: Perl question
- Previous by thread: Re: Perl question
- Next by thread: Re: Perl question
- Index(es):
Relevant Pages
|
