Mike Friedman <[email protected]> writes: > Now I'm having another problem with my 1.6.1 (RedHat Linux) test KDC. > It seems that if I set the REQUIRES_PWCHANGE attribute for a principal > and try to authenticate with an invalid password, I get back a return > code of 31 ('decrypt integrity check failed'), instead of a 23 (password > expired).
Hm, that seems like correct behavior to me in the presence of preauth. Otherwise, you're leaking state about the account to a possible attacker. > (My code depends on the RC=23 to verify that the REQUIRES_PWCHANGE > attribute is, in fact, set. This code has been running successfully for > years on earlier KDC versions, 1.4.2 currently, though not on Linux > systems). Wouldn't it be better to provide your code with an interface where it can query that attribute directly instead of using the return code from a failed authentication? -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
