Perl question

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Perl question

Digant C Kasundra
Hello folks,

I'm trying to find a way to authenticate a username and password pair
regardless of whether the password is expired or not.  When using
Authen::Krb5, if an accounts pw is expired, regardless of the password I
use to try to get a ticket, it will give me the error that the password
is expired.  How can I verify the username and password?

        my $kprinc = Authen::Krb5::parse_name( $uid );
       
        my $kservprinc = Authen::Krb5::sname_to_principal(
                                                $KRB5_REALM,
                                                'krbtgt',
                                                'NT_SRV_HST'
                                        );
                                       
        my $kcc = Authen::Krb5::cc_default();
       
        $kcc->initialize( $kservprinc );
       
        my $kerror = Authen::Krb5::get_in_tkt_with_password(
                        $kprinc,
                        $kservprinc,
                        $pw,
                        $kcc
                );
               
        #1 means successful authentication, undef otherwise.
        if ($kerror eq 1) {
                return $ACCEPT;
        }
        else {
                my $errorcode = Authen::Krb5::error();
                write_to_log( $eventid, "Kerberos returned error $errorcode: "
                        . Authen::Krb5::error( $errorcode ) );
        }
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Perl question

Mike Friedman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 22 Sep 2005 at 11:36 (-0500), Digant C Kasundra wrote:

> I'm trying to find a way to authenticate a username and password pair
> regardless of whether the password is expired or not.  When using
> Authen::Krb5, if an accounts pw is expired, regardless of the password I
> use to try to get a ticket, it will give me the error that the password
> is expired.  How can I verify the username and password?

Digant,

I use the MIT K5 API, rather than the perl Authen::Krb5 module, but I've
had to deal with the same issue.

What I do is this:  instead of requesting an initial credential for the
user, I request a credential - on behalf of the user - for a special
service principal that I've registered in my KDC.  That principal is
defined with the PWCHANGE_SERVICE attribute, so that the return code for
an invalid password is not sent for an expired password.  (In fact, that's
the attribute set for the 'kadmin/changepw' principal used by kpasswd,
which is why kpasswd doesn't have the problem you describe).

I might also mention that if you're doing 'proxy' Kerberos authentication
(i.e., on behalf of another user), it's not really enough just to get a
credential for the user.  You should also use the received and 'verified'
TGT to obtain a service credential for a principal whose keytab entry
you've installed and which you use to verify that credential. This is to
protect yourself against a possibly spoofed KDC sending you back bogus
AS_REPs in support of an impersonator (i.e., 'vouching' for the
impersonator-supplied password as belonging to the victim user).  In my
case, in fact, I use the same service principal mentioned above for this
purpose as well.

Mike

_____________________________________________________________________
Mike Friedman                   System and Network Security
[hidden email]          2484 Shattuck Avenue
1-510-642-1410                  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_____________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQzLlSK0bf1iNr4mCEQIbXQCg/NYFQ5fHRa11rhCpJnYg43gVMsQAn1VT
Eo59UApBx401s18PM2lHRuj6
=w0ML
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Perl question

Garrett Wollman
In reply to this post by Digant C Kasundra
In article <[hidden email]>,
Digant C Kasundra <[hidden email]> wrote:
>Hello folks,
>
>I'm trying to find a way to authenticate a username and password pair
>regardless of whether the password is expired or not.  When using
>Authen::Krb5, if an accounts pw is expired, regardless of the password I
>use to try to get a ticket, it will give me the error that the password
>is expired.  How can I verify the username and password?

This isn't actually a Perl question.

You need to request an initial ticket for a password-changing
service, rather than the ticket-granting.  Expired users can only
request initial tickets for a service which is identified in the KDC
as being a password-changing service.

You should create a separate principal for this, so that you can
safely put that principal's key in a keytab and use it to verify the
ticket you have received.  The code you have shown does not verify the
ticket, and thus does not actually check the password.

-GAWollman

--
Garrett A. Wollman    | As the Constitution endures, persons in every
[hidden email] | generation can invoke its principles in their own
Opinions not those    | search for greater freedom.
of MIT or CSAIL.      | - A. Kennedy, Lawrence v. Texas, 539 U.S. 558 (2003)
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Perl question

Digant C Kasundra
In reply to this post by Mike Friedman
Ah, that work.  I tried to get a ticket for kadmin/changepw instead of a
TGT for the realm.  Thanks for the lead!

-- DK

On Thu, 2005-09-22 at 10:09 -0700, Mike Friedman wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, 22 Sep 2005 at 11:36 (-0500), Digant C Kasundra wrote:
>
> > I'm trying to find a way to authenticate a username and password pair
> > regardless of whether the password is expired or not.  When using
> > Authen::Krb5, if an accounts pw is expired, regardless of the password I
> > use to try to get a ticket, it will give me the error that the password
> > is expired.  How can I verify the username and password?
>
> Digant,
>
> I use the MIT K5 API, rather than the perl Authen::Krb5 module, but I've
> had to deal with the same issue.
>
> What I do is this:  instead of requesting an initial credential for the
> user, I request a credential - on behalf of the user - for a special
> service principal that I've registered in my KDC.  That principal is
> defined with the PWCHANGE_SERVICE attribute, so that the return code for
> an invalid password is not sent for an expired password.  (In fact, that's
> the attribute set for the 'kadmin/changepw' principal used by kpasswd,
> which is why kpasswd doesn't have the problem you describe).
>
> I might also mention that if you're doing 'proxy' Kerberos authentication
> (i.e., on behalf of another user), it's not really enough just to get a
> credential for the user.  You should also use the received and 'verified'
> TGT to obtain a service credential for a principal whose keytab entry
> you've installed and which you use to verify that credential. This is to
> protect yourself against a possibly spoofed KDC sending you back bogus
> AS_REPs in support of an impersonator (i.e., 'vouching' for the
> impersonator-supplied password as belonging to the victim user).  In my
> case, in fact, I use the same service principal mentioned above for this
> purpose as well.
>
> Mike
>
> _____________________________________________________________________
> Mike Friedman                   System and Network Security
> [hidden email]          2484 Shattuck Avenue
> 1-510-642-1410                  University of California at Berkeley
> http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
> _____________________________________________________________________
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQA/AwUBQzLlSK0bf1iNr4mCEQIbXQCg/NYFQ5fHRa11rhCpJnYg43gVMsQAn1VT
> Eo59UApBx401s18PM2lHRuj6
> =w0ML
> -----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Perl question

Tom Yu
>>>>> "digant" == Digant C Kasundra <[hidden email]> writes:

digant> Ah, that work.  I tried to get a ticket for kadmin/changepw
digant> instead of a TGT for the realm.  Thanks for the lead!

Please remember that you need to verify the ticket you get, or else an
attacker could collude with an imposter KDC to log in.  I would hope
that you do not have a key for verifying kadmin/changepw tickets on
your client machines, thus Mike's suggestion for a different principal
with that attribute set.

---Tom
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Perl question

Digant C Kasundra
Actually, I lied.  I did create a new service/checkpw principal and gave
it the pw change service flag and that's what I'm using to check the
password.  I should probably verify that ticket with a keytab.


On Thu, 2005-09-22 at 13:54 -0400, Tom Yu wrote:

> >>>>> "digant" == Digant C Kasundra <[hidden email]> writes:
>
> digant> Ah, that work.  I tried to get a ticket for kadmin/changepw
> digant> instead of a TGT for the realm.  Thanks for the lead!
>
> Please remember that you need to verify the ticket you get, or else an
> attacker could collude with an imposter KDC to log in.  I would hope
> that you do not have a key for verifying kadmin/changepw tickets on
> your client machines, thus Mike's suggestion for a different principal
> with that attribute set.
>
> ---Tom
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos