From Newsgroup: comp.protocols.kerberos
Hi, we have a required to detect -aif a client is using same incorrect >password in in authentication against KDC. Is it possible the KDC
server can determine if client is using same incorrect password? Thanks
Ouch, is this some dang compliance requirement? I thought I had dealt with
SO MANY weird compliance issues, but that's a new one to me. I'm interested
in where this is coming from. If I understand you, it seems like you mean
that a single client is repeating the same incorrect pasword over and over.
If you mean that different clients are trying to use the the same incorrect password, I don't believe that's possible (nor do I understand why that
would be a requirement). Upon further thought, this seems like a completely ridiculous requirement and I cannot imagine why anyone would ask for it.
I _think_, in theory ... my first guess as to what you mean is possible.
But it won't be trivial. I believe you could accomplish this by using
encryped timestamp preauth, detecting when a wrong password is seen, remembering that on the KDC, and then sending the same encrypted timestamp
back to the client upon further password requests and detecting if the
response was the same. That would be a lot of code and have issues if
the requests went to different KDCs. It's very possible I could be wrong
about that. And again, that only works with requests from the SAME client
due to password salting.
--Ken
--- Synchronet 3.21d-Linux NewsLink 1.2