On 7/1/20 1:53 AM, Eric Hattemer wrote: > I know pre-auth is a special case where you'd need to provide a > plausible challenge for non-existent accounts. But is there maybe a > setting to treat unknown principals as if they had pre-auth disabled, > request a password, and just send back invalid password / encryption > failed no matter what?
We don't have a setting like that. The closest nod we have in the code to this desire is a "vague errors" setting for the KDC, which can only be turned on at compile time (or via ptrace, I guess) and causes the KDC to yield generic errors instead of useful ones. But that setting still allows an attacker to easily distinguish between "client principal requires preauth" and "client principal not found". Because the Kerberos principal namespace isn't formally divided between users and services, any obscurity feature would probably have some edge cases. For example, if we treated single-component principals as users, anyone with a user/admin principal (or user/root, which has no status in the code but is a common convention for elevated access) would probably still be detectable by an attacker. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos