Hi, I'm new to using Kerberos and I'm definitely not a security expert, and I tried searching for this but it's pretty difficult since most of the hits are about people trying to get Kerberos working, so here goes...
If I do "kinit notauser" to my KDC, it replies instantly with: > kinit: Client not found in Kerberos database while getting initial credentials If I "kinit realuser" then it replies by asking for the password as expected. Doesn't this allow somebody to probe the KDC to find valid user names, which seems like a vulnerability? Other programs like SSH don't give any information away on bad usernames so you can't probe for valid ones. I thought this was a security best-practice, so I was suprised to find Kerberos doesn't do this. Or, is there a setting somewhere? Or, am I missing something? Thanks, Chris ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
