Groups | Search | Server Info | Login | Register

Groups > comp.protocols.kerberos > #5351

Re: is there a way to detect if user is using same incorrect password in authentication

Path csiph.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From Ken Hornstein <kenh@cmf.nrl.navy.mil>
Newsgroups comp.protocols.kerberos
Subject Re: is there a way to detect if user is using same incorrect password in authentication
Date Fri, 09 Aug 2024 21:03:01 -0400
Organization TNet Consulting
Lines 24
Message-ID <mailman.122.1723251789.2322.kerberos@mit.edu> (permalink)
References <887838909.3164322.1723239377924.ref@mail.yahoo.com> <887838909.3164322.1723239377924@mail.yahoo.com> <202408100103.47A131bX008296@hedwig.cmf.nrl.navy.mil>
Mime-Version 1.0
Content-Type text/plain; charset="UTF-8"
Content-Transfer-Encoding 8bit
Injection-Info tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50"; logging-data="6008"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc "kerberos@mit.edu" <kerberos@mit.edu>
To Jim Shi <hjshi@yahoo.com>
DKIM-Filter OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results mailman.mit.edu; dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-mitprod-onmicrosoft-com header.b=ZdvcoQ+g; dkim=pass (2048-bit key, unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256 header.s=s2.dkim header.b=K8Ur8Tr/
ARC-Seal i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=FYGw9UHvp1qzHYn9SiTtVSBX15v13aOgFB3ytuWQ583k/LoyzRvSqnwb66By4andAr00Q7NEZ8hFT1CyjQmEBOxOvYUcwMn/DiY/cn+ZGiNgOYoxRj8m2Kf/iaYdx4zHtQtS9IUtMffMw/XhWLK7MjWXs0Fm9Q6EKTMvTYwwgLb1mWT2iI21X2umrD7qXTj0waStXpF5j9sIzyKJJ7ZsHd7NKpd1kYKdxRosdOB3Bcj9D30cmJljoGXy3A9I5stWHVSJgdzOAVSTzfIbm3lZXoamkmD0ymeY/XKVriALrgjx0dH76rgXtt6UAUjryCk6afsKOtIUbdM47+9UwxafUg==
ARC-Message-Signature i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=c5bNoiQI/5DjuVjM5HjV/n1rBxa+7cgGXiMKWvuAzZ0=; b=MDwEbAJAt5EF+8KDxzrzjvBj4lB4QPksyLPHgaH0C6+YDnhU2fbIogfvG2wuvEvlGCSzYcQvripf40OGL8LnQtAP/r83FSkFW9lwBjGaKG1g/qjhbHS917efg/ZVh7RGpRkWD3ygqGRCIe96CjzLOkBSMiMXv96qDmhCTGqH8S/rTn+56rjc9fsHT2y+Z/nxANg2H26GtK0P567OOgOawDdLZfNSlFyweAbsSg+6XppBPnePcj3q3C6VhXrXlYxDq+kCnbe2XYtA9C7WC3cT9B8vnWxdI3KoPlCSEUeD2w0CODY0aHZ7IFLh8PJ6x41tMaB71oee0T0AXTXAY6GpPg==
ARC-Authentication-Results i=1; mx.microsoft.com 1; spf=pass (sender ip is 140.32.59.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified) header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=c5bNoiQI/5DjuVjM5HjV/n1rBxa+7cgGXiMKWvuAzZ0=; b=ZdvcoQ+gcbRIunH7YihtJERkHafkSeqfypGz2SySF+qmvXGW9CYC4BeL0QBE5YgN1v2bWP2nA26+PfbWd2LCypqdbr28eO1R+oKHZqLM2P94v9u79U3Eb2m1f/dhi7FPPy4xOmlQxPuf3trJnCx1TYIzvPAoGY1Q5lXv9pYB7qM=
Authentication-Results spf=pass (sender IP is 140.32.59.234) smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified) header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF Pass (protection.outlook.com: domain of cmf.nrl.navy.mil designates 140.32.59.234 as permitted sender) receiver=protection.outlook.com; client-ip=140.32.59.234; helo=mf.dren.mil; pr=C
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil; h=cc : content-transfer-encoding : content-type : date : from : in-reply-to : message-id : mime-version : references : subject : to; s=s2.dkim; bh=c5bNoiQI/5DjuVjM5HjV/n1rBxa+7cgGXiMKWvuAzZ0=; b=K8Ur8Tr/cr9R/OpTLQGvUP6QDJ0nInybuYGsWjk4MytGSmEPAAHCpuHkhA+IYifsBXIr bmoTrmMXWQQ30g78StvUnefgMwsO/Xf73yiNLe1nsBn21IbaxqDQgweuy0VkDkViMkxx lIgudwE0e82mXKa3w2pTiHnto/MaV/8PIWhhlsUJOPVFbOLIFko22JbaXE8gy+VZOlD8 DNccRt6r8SZjZRv4M6HiDv4FTTk1ABazUA6KzpOByMoRViRsI9bHVox04OPzfDqEoAD6 jkRAD5ZVlECB+T/hhhIr8+i37vKOSohldeiBksnsY+FzlxdnCl26KqCM/WF2ZsJNDx3R Jw==
In-Reply-To <887838909.3164322.1723239377924@mail.yahoo.com>
X-Face "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned
X-EOPAttributedMessage 0
X-EOPTenantAttributedMessage 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType Email
X-MS-TrafficTypeDiagnostic DS3PEPF000099D6:EE_|MW4PR01MB6209:EE_
X-MS-Office365-Filtering-Correlation-Id 143ad553-a32d-42fc-2642-08dcb8d82fe6
X-LD-Processed 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties SA
X-MS-Exchange-SenderADCheck 0
X-MS-Exchange-AntiSpam-Relay 0
X-Microsoft-Antispam BCL:0;ARA:13230040|61400799027|376014|48200799018;
X-Microsoft-Antispam-Message-Info f3MzqKryrV5wv/Yl3sjdMsiKcgfqrJkRqkwIY95bma3n60aHUexZyEpCxGWyygEGMuhrkoO0Yhi80WZqwFqJ+7ZNOHh0Qoj+d8QSR7A+eLEVNa/dJdFTCEvdtMF8Iwe2SEvFShXHm2ORzLBGN8a+UkXBZ6Aux2CU4iOLbLApPWA0D23ooZs6AlShvi9GI6knUiEv19AjQaKX1xKv0QNux72y8UmOw2lk9VjixPKiEDq0uGMmPHU9QxzW0XsTE1g2RZAJdJjQ0iXbkfFCKE+t8n7uyq1Atpm/MPMsS6A1qbM5FBntZAbhk7J4X6QFBTz8/mTiUjMPm/ia3D1BWjqBvt/RLvabkCZNOwElzGdwRkBBqVfQZMEztcDIS4JmQVwtixYYpCnQqGEqZgMmPHqiiCkRxF5qDy+Xfvp48APyeCIKFLvs47BzZBOtkv+NgI1Op425CGKxgjUX+XqXpwYxDrWmvL4YrBd08gkWeqFzBzaLbTNdmxw+Dvtg2g15FbV11dVZcUNvGBAebHWi3nqRUxp6vAoHMCC05kkKiOlfTYYQ0psBL8Q+23Bw22CwCjsoEpQi4b8DY4EYLHj6wSjjnJzIpzBHGfHKTXSE9aZKQky1KaSOIr5xLwhK3wvyGGTCcYT6jX5Nyo2HSBHXTcUcc6/XbxdYp3EY06HDgDIw/FrAaxEDEh4zZWO4qVL42GokzzxU2WVfTpBiv2lEcp4vwYWZK9m7VrmqENWZApQSoFt3pd/P5a5CxYLpchmPJ0k8oWXrx6f2mQPbopPHuP5w0d6/vGY1J5ZVpqGurzRCjET+EMlY5rsVuKpcdELTAGfdtS7NroaIPTXOP0kh1Ob+44jXx5IGR7WB8oUfeWLt1UkFoVcUEkA3CxOa+QnTCuBw1InCdz1lCAuzT3sCJeug+Vxe0vwF79D/MNsztbUNp6ZXUDbBAYyfQA7rghK0137Km4e9KA9qxrwjer3ndfWO2K/vS3gxJvLgnNWxEoUXSXzQjbpq1LV7k0RvtYe60t9+A4tmbSDfEFj3S5ezy5oS9FeDMaVd6C0QAqbtPxxiT6FD+N5JAaTxBu8R0eHHOR8lwAVMssER1XOfqu8/7cHKhRAInTTQPe/LXMEXhMgCh855+2JOHA2OLZxe71ZtCOFbB5mLXUXS4jjgRWtv+sw2XRy5JXI6+ZkQd1pc3OZxgd/JN0VHPhrZnUcljLwiDIbV7NtigN3pbd9LqK1+i1KlMIUk3qGH4hY4YZ/JqtY6xWVI/yGmtZyJixW38dhqBdWI+7cj2U3DibSEE7GOf7CXBRgWt40CTuX48C1gtPQJAMvGufJ+oU5jIVaZRa5qkola/vJCbtl8yicxzwNHl6Iy6hrwXPTfORHlJY2DSerB4xBxl/KgBwTuvh22PYJB1LotRB3pstQ1vCw3VD0T8uiTifcZKCfZUGcUAk1ygQmxRbs=
X-Forefront-Antispam-Report CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfe.dren.mil; CAT:NONE; SFS:(13230040)(61400799027)(376014)(48200799018); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress DR, OOF, AutoReply
X-OriginatorOrg mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime 10 Aug 2024 01:03:03.4733 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id 143ad553-a32d-42fc-2642-08dcb8d82fe6
X-MS-Exchange-CrossTenant-Id 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource DS3PEPF000099D6.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped MW4PR01MB6209
X-BeenThere kerberos@mit.edu
X-Mailman-Version 2.1.34
Precedence list
List-Id The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe <https://mailman.mit.edu/mailman/options/kerberos>, <mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive <http://mailman.mit.edu/pipermail/kerberos/>
List-Post <mailto:kerberos@mit.edu>
List-Help <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe <https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID <202408100103.47A131bX008296@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References <887838909.3164322.1723239377924.ref@mail.yahoo.com> <887838909.3164322.1723239377924@mail.yahoo.com>
Xref csiph.com comp.protocols.kerberos:5351

Show key headers only | View raw

>Hi, we have a required to detect  if a client is using same incorrect
>password in in authentication against KDC.  Is it possible the KDC
>server can determine if client is using same incorrect password?  Thanks

Ouch, is this some dang compliance requirement?  I thought I had dealt with
SO MANY weird compliance issues, but that's a new one to me.  I'm interested
in where this is coming from.  If I understand you, it seems like you mean
that a single client is repeating the same incorrect pasword over and over.
If you mean that different clients are trying to use the the same incorrect
password, I don't believe that's possible (nor do I understand why that
would be a requirement).  Upon further thought, this seems like a completely
ridiculous requirement and I cannot imagine why anyone would ask for it.

I _think_, in theory ... my first guess as to what you mean is possible.
But it won't be trivial.  I believe you could accomplish this by using
encryped timestamp preauth, detecting when a wrong password is seen,
remembering that on the KDC, and then sending the same encrypted timestamp
back to the client upon further password requests and detecting if the
response was the same.  That would be a lot of code and have issues if
the requests went to different KDCs.  It's very possible I could be wrong
about that.  And again, that only works with requests from the SAME client
due to password salting.

--Ken

Back to comp.protocols.kerberos | Previous | Next | Find similar

Thread

Re: is there a way to detect if user is using same incorrect password in authentication Ken Hornstein <kenh@cmf.nrl.navy.mil> - 2024-08-09 21:03 -0400

csiph-web