Path: csiph.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail From: Ken Hornstein Newsgroups: comp.protocols.kerberos Subject: Re: is there a way to detect if user is using same incorrect password in authentication Date: Fri, 09 Aug 2024 21:03:01 -0400 Organization: TNet Consulting Lines: 24 Message-ID: References: <887838909.3164322.1723239377924.ref@mail.yahoo.com> <887838909.3164322.1723239377924@mail.yahoo.com> <202408100103.47A131bX008296@hedwig.cmf.nrl.navy.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50"; logging-data="6008"; mail-complaints-to="newsmaster@tnetconsulting.net" Cc: "kerberos@mit.edu" To: Jim Shi DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid) Authentication-Results: mailman.mit.edu; dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-mitprod-onmicrosoft-com header.b=ZdvcoQ+g; dkim=pass (2048-bit key, unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256 header.s=s2.dkim header.b=K8Ur8Tr/ ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=FYGw9UHvp1qzHYn9SiTtVSBX15v13aOgFB3ytuWQ583k/LoyzRvSqnwb66By4andAr00Q7NEZ8hFT1CyjQmEBOxOvYUcwMn/DiY/cn+ZGiNgOYoxRj8m2Kf/iaYdx4zHtQtS9IUtMffMw/XhWLK7MjWXs0Fm9Q6EKTMvTYwwgLb1mWT2iI21X2umrD7qXTj0waStXpF5j9sIzyKJJ7ZsHd7NKpd1kYKdxRosdOB3Bcj9D30cmJljoGXy3A9I5stWHVSJgdzOAVSTzfIbm3lZXoamkmD0ymeY/XKVriALrgjx0dH76rgXtt6UAUjryCk6afsKOtIUbdM47+9UwxafUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=c5bNoiQI/5DjuVjM5HjV/n1rBxa+7cgGXiMKWvuAzZ0=; b=MDwEbAJAt5EF+8KDxzrzjvBj4lB4QPksyLPHgaH0C6+YDnhU2fbIogfvG2wuvEvlGCSzYcQvripf40OGL8LnQtAP/r83FSkFW9lwBjGaKG1g/qjhbHS917efg/ZVh7RGpRkWD3ygqGRCIe96CjzLOkBSMiMXv96qDmhCTGqH8S/rTn+56rjc9fsHT2y+Z/nxANg2H26GtK0P567OOgOawDdLZfNSlFyweAbsSg+6XppBPnePcj3q3C6VhXrXlYxDq+kCnbe2XYtA9C7WC3cT9B8vnWxdI3KoPlCSEUeD2w0CODY0aHZ7IFLh8PJ6x41tMaB71oee0T0AXTXAY6GpPg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 140.32.59.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified) header.d=nrl.navy.mil; arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=c5bNoiQI/5DjuVjM5HjV/n1rBxa+7cgGXiMKWvuAzZ0=; b=ZdvcoQ+gcbRIunH7YihtJERkHafkSeqfypGz2SySF+qmvXGW9CYC4BeL0QBE5YgN1v2bWP2nA26+PfbWd2LCypqdbr28eO1R+oKHZqLM2P94v9u79U3Eb2m1f/dhi7FPPy4xOmlQxPuf3trJnCx1TYIzvPAoGY1Q5lXv9pYB7qM= Authentication-Results: spf=pass (sender IP is 140.32.59.234) smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified) header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil; Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil designates 140.32.59.234 as permitted sender) receiver=protection.outlook.com; client-ip=140.32.59.234; helo=mf.dren.mil; pr=C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil; h=cc : content-transfer-encoding : content-type : date : from : in-reply-to : message-id : mime-version : references : subject : to; s=s2.dkim; bh=c5bNoiQI/5DjuVjM5HjV/n1rBxa+7cgGXiMKWvuAzZ0=; b=K8Ur8Tr/cr9R/OpTLQGvUP6QDJ0nInybuYGsWjk4MytGSmEPAAHCpuHkhA+IYifsBXIr bmoTrmMXWQQ30g78StvUnefgMwsO/Xf73yiNLe1nsBn21IbaxqDQgweuy0VkDkViMkxx lIgudwE0e82mXKa3w2pTiHnto/MaV/8PIWhhlsUJOPVFbOLIFko22JbaXE8gy+VZOlD8 DNccRt6r8SZjZRv4M6HiDv4FTTk1ABazUA6KzpOByMoRViRsI9bHVox04OPzfDqEoAD6 jkRAD5ZVlECB+T/hhhIr8+i37vKOSohldeiBksnsY+FzlxdnCl26KqCM/WF2ZsJNDx3R Jw== In-Reply-To: <887838909.3164322.1723239377924@mail.yahoo.com> X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yPkEpSD@*e` X-NRLCMF-Spam-Score: () hits=0 User Authenticated X-NRLCMF-Virus-Scanned: X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS3PEPF000099D6:EE_|MW4PR01MB6209:EE_ X-MS-Office365-Filtering-Correlation-Id: 143ad553-a32d-42fc-2642-08dcb8d82fe6 X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 0 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|61400799027|376014|48200799018; X-Microsoft-Antispam-Message-Info: =?utf-8?B?ZjNNenFLcnlyVjV3di9ZbDNzamRNc2lLY2dmcXJKa1Jxa3dJWTk1Ym1hM242?= =?utf-8?B?MGFIVWV4WnlFcEN4R1d5eWdFR011aHJrb08wWWhpODBXWnF3RnFKKzdaTk9I?= =?utf-8?B?aDBRb2orZDhRU1I3QStlTEVWTmEvZEpkRlRDRXZkdE1GOEl3ZTJTRXZGU2hY?= =?utf-8?B?SG0yT1J6TEJHTjhhK1VrWEJaNkF1eDJDVTRpT0xiTEFwUFdBMEQyM29vWnM2?= =?utf-8?B?QWxTaHZpOUdJNmtuVWlFdjE5QWpRYUtYMXhLdjBRTnV4NzJ5OFVtT3cybGs5?= =?utf-8?B?VmppeFBLaUVEcTB1R01tUEhVOVF4elcwWHNURTFnMlJaQUpkSmpRMGlYYmtm?= =?utf-8?B?RkNLRSt0OG43dXlxMUF0cG0vTVBNc1M2QTFxYk01RkJudFpBYmhrN0o0WDZR?= =?utf-8?B?RkJUejgvbVRpVWpNUG0vaWEzRDFCV2pxQnZ0L1JMdmFia0NaTk93RWx6R2R3?= =?utf-8?B?UmtCQnFWZlFaTUV6dGNESVM0Sm1RVnd0aXhZWXBDblFxR0VxWmdNbVBIcWlp?= =?utf-8?B?Q2tSeEY1cUR5K1hmdnA0OEFQeWVDSUtGTHZzNDdCelpCT3RrditOZ0kxT3A0?= =?utf-8?B?MjVDR0t4Z2pVWCtYcVhwd1l4RHJXbXZMNFlyQmQwOGdrV2VxRnpCemFMYlRO?= =?utf-8?B?ZG14dytEdnRnMmcxNUZiVjExZFZaY1VOdkdCQWViSFdpM25xUlV4cDZ2QW9I?= =?utf-8?B?TUNDMDVra0tpT2xmVFlZUTBwc0JMOFErMjNCdzIyQ3dDanNvRXBRaTRiOERZ?= =?utf-8?B?NEVZTEhqNndTampuSnpJcHpCSEdmSEtUWFNFOWFaS1FreTFLYVNPSXI1eEx3?= =?utf-8?B?aEszd3Z5R0dUQ2NZVDZqWDVOeW8ySFNCSFhUY1VjYzYvWGJ4ZFlwM0VZMDZI?= =?utf-8?B?RGdESXcvRnJBYXhFREVoNHpaV080cVZMNDJHb2t6enhVMldWZlRwQml2MmxF?= =?utf-8?B?Y3A0dndZV1pLOW03VnJtcUVOV1pBcFFTb0Z0M3BkL1A1YTVDeFlMcGNobVBK?= =?utf-8?B?MGs4b1dYcng2ZjJtUVBib3BQSHVQNXcwZDYvdkdZMUo1WlZwcUd1cnpSQ2pF?= =?utf-8?B?VCtFTWxZNXJzVnVLcGNkRUxUQUdmZHRTN05yb2FJUFRYT1Awa2gxT2IrNDRq?= =?utf-8?B?WHg1SUdSN1dCOG9VZmVXTHQxVWtGb1ZjVUVrQTNDeE9hK1FuVEN1QncxSW5D?= =?utf-8?B?ZHoxbENBdXpUM3NDSmV1ZytWeGUwdndGNzlEL01Oc3p0YlVOcDZaWFVEYkJB?= =?utf-8?B?WXlmUUE3cmdoSzAxMzdLbTRlOUtBOXF4cndqZXIzbmRmV08ySy92UzNneEp2?= =?utf-8?B?TGduTld4RW9VWFNYelFqYnBxMUxWN2swUnZ0WWU2MHQ5K0E0dG1iU0RmRUZq?= =?utf-8?B?M1M1ZXp5NW9TOUZlRE1hVmQ2QzBRQXFidFB4eGlUNkZEK041SkFhVHhCdThS?= =?utf-8?B?MGVISE9SOGx3QVZNc3NFUjFYT2ZxdTgvN2NIS2hSQUluVFRRUGUvTFhNRVho?= =?utf-8?B?TWdDaDg1NSsySk9IQTJPTFp4ZTcxWnRDT0ZiQjVtTFhVWFM0ampnUld0ditz?= =?utf-8?B?dzJYUnk1SlhJNitaa1FkMXBjM09aeGdkL0pOMFZIUGhyWm5VY2xqTHdpREli?= =?utf-8?B?VjdOdGlnTjNwYmQ5THFLMStpMUtsTUlVazNxR0g0aFk0WVovSnF0WTZ4V1ZJ?= =?utf-8?B?L3lHbXRaeUppeFczOGRocUJkV0krN2NqMlUzRGliU0VFN0dPZjdDWEJSZ1d0?= =?utf-8?B?NDBDVHVYNDhDMWd0UFFKQU12R3VmSitvVTVqSVZhWlJhNXFrb2xhL3ZKQ2J0?= =?utf-8?B?bDh5aWN4endOSGw2SXk2aHJ3WFBUZk9SSGxKWTJEU2VyQjR4QnhsL0tnQndU?= =?utf-8?B?dXZoMjJQWUpCMUxvdFJCM3BzdFExdkN3M1ZEMFQ4dWlUaWZjWktDZlpVR2NV?= =?utf-8?Q?Ak1ygQmxRbs=3D?= X-Forefront-Antispam-Report: CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfe.dren.mil; CAT:NONE; SFS:(13230040)(61400799027)(376014)(48200799018); DIR:OUT; SFP:1102; X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b X-Auto-Response-Suppress: DR, OOF, AutoReply X-OriginatorOrg: mitprod.onmicrosoft.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Aug 2024 01:03:03.4733 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 143ad553-a32d-42fc-2642-08dcb8d82fe6 X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b X-MS-Exchange-CrossTenant-AuthSource: DS3PEPF000099D6.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR01MB6209 X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.1.34 Precedence: list List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Mailman-Original-Message-ID: <202408100103.47A131bX008296@hedwig.cmf.nrl.navy.mil> X-Mailman-Original-References: <887838909.3164322.1723239377924.ref@mail.yahoo.com> <887838909.3164322.1723239377924@mail.yahoo.com> Xref: csiph.com comp.protocols.kerberos:5351 >Hi, we have a required to detect  if a client is using same incorrect >password in in authentication against KDC. Is it possible the KDC >server can determine if client is using same incorrect password? Thanks Ouch, is this some dang compliance requirement? I thought I had dealt with SO MANY weird compliance issues, but that's a new one to me. I'm interested in where this is coming from. If I understand you, it seems like you mean that a single client is repeating the same incorrect pasword over and over. If you mean that different clients are trying to use the the same incorrect password, I don't believe that's possible (nor do I understand why that would be a requirement). Upon further thought, this seems like a completely ridiculous requirement and I cannot imagine why anyone would ask for it. I _think_, in theory ... my first guess as to what you mean is possible. But it won't be trivial. I believe you could accomplish this by using encryped timestamp preauth, detecting when a wrong password is seen, remembering that on the KDC, and then sending the same encrypted timestamp back to the client upon further password requests and detecting if the response was the same. That would be a lot of code and have issues if the requests went to different KDCs. It's very possible I could be wrong about that. And again, that only works with requests from the SAME client due to password salting. --Ken