Bug 15746 - kinit/heimdal leaks information about password expiry
Summary: kinit/heimdal leaks information about password expiry
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-10-24 16:21 UTC by Felix Botner
Modified: 2024-12-19 00:01 UTC (History)
1 user (show)

See Also:


Attachments
kinit.log (8.31 KB, text/plain)
2024-10-24 16:23 UTC, Felix Botner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner 2024-10-24 16:21:46 UTC
Samba version: 4.21.1

After creating an user object with an expired password (--must-change-at-next-login) kinit shows "Password has expired" even with a wrong password.

$ samba-tool user add foobar foobar.99 --must-change-at-next-login

# FAIL, with wrong password
./bin/default/third_party/heimdal_build/samba4kinit.inst foobar
foobar@FIVE.TWO's Password: 
Password has expired
samba4kinit.inst: Password incorrect

Why do i get "Password has expired" here? This should not be shown, right? (and it is not with samba 4.18.3)

# OK, password change dialog with correct password 
$ ./bin/default/third_party/heimdal_build/samba4kinit.inst foobar
foobar@FIVE.TWO's Password: 
Password has expired
Your password will expire at Thu Jan  1 01:00:00 1970
Changing password
New password:

LDIF:

dn: CN=foobar,CN=Users,DC=five,DC=two
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: foobar
instanceType: 4
whenCreated: 20241024155926.0Z
uSNCreated: 4355
name: foobar
objectGUID: 53cb3a5d-8f87-4ec3-84b2-06b3622002e6
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1756134253-1098979800-3493687893-1118
accountExpires: 9223372036854775807
sAMAccountName: foobar
sAMAccountType: 805306368
userPrincipalName: foobar@five.two
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=five,DC=two
pwdLastSet: 0
userAccountControl: 512
lastLogonTimestamp: 133742596154241010
whenChanged: 20241024160655.0Z
uSNChanged: 4359
lastLogon: 133742596154341000
logonCount: 2
distinguishedName: CN=foobar,CN=Users,DC=five,DC=two

As an attachment you can find the krb5 client debug log for the kinit with a wrong password.

This also happens with the standard heimdal kinit tool, so it may be a problem in the response from the KDC?

Thanks,
Felix
Comment 1 Felix Botner 2024-10-24 16:23:43 UTC
Created attachment 18483 [details]
kinit.log

kinit with wrong password and debug
Comment 2 Douglas Bagnall 2024-10-25 02:14:52 UTC
I think this is probably not a bug, being the best of two imperfect alternatives.

Either you leak the expiry or you leak a little bit of information about what the old password isn't. Returning some other error code which would make a brute-force attack on the old password easier.

This was probably changed with this commit: https://gitlab.com/samba-team/devel/lorikeet-heimdal/-/commit/4c2f7224258f20bfa2f08eaf2dafe75100457662 which was moving to match windows.
Comment 3 Felix Botner 2024-10-25 09:52:54 UTC
Thanks!

but i don't really understand your argument

> Either you leak the expiry or you leak a little bit of information about what 
> the old password isn't. Returning some other error code which would make a 
> brute-force attack on the old password easier.

If i throw a wrong password at him and he tells me "Password has expired" and "Password incorrect" instead of just "Password incorrect", that is additional information.

Why should the KDC do that?
Comment 4 Douglas Bagnall 2024-11-01 01:34:38 UTC
(In reply to Felix Botner from comment #3)
> If i throw a wrong password at him and he tells me "Password has expired" and "Password incorrect" instead of just "Password incorrect", that is additional information.

> Why should the KDC do that?

hmm, yes.

I think I was imagining (as opposed to properly reading) that it would not tell you "wrong password" until you had tried to set a new password.

Have you tried against Windows?
Comment 5 Felix Botner 2024-11-01 12:33:12 UTC
OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763
Hotfix(s):                 53 Hotfix(s) Installed.
...
[53]: KB5005701

Created an AD user object with "User must change password at next logon":

$ ldbsearch  -H ldap://10.210.36.83 -U Administrator%'Univention@99#+?=$'  cn=test1 
+ ldbsearch -H ldap://10.210.36.83 -U 'Administrator%Univention@99#+?=$' cn=test1
# record 1
dn: CN=test1,CN=Users,DC=utotest235win,DC=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test1
givenName: test1
distinguishedName: CN=test1,CN=Users,DC=utotest235win,DC=test
instanceType: 4
whenCreated: 20241101121936.0Z
whenChanged: 20241101121950.0Z
displayName: test1
uSNCreated: 12811
uSNChanged: 12821
name: test1
objectGUID: 224206dc-c9da-4029-9207-348aa3b4b81a
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 133749371856716448
lastLogoff: 0
lastLogon: 133749371909681216
pwdLastSet: 0
primaryGroupID: 513
objectSid: S-1-5-21-490277428-4136810947-3753624039-1111
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: test1
sAMAccountType: 805306368
userPrincipalName: test1@utotest235win.test
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=utotest235win,DC=test
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133749371909681216

From a linux client with krb5 config pointing to the windows AD:

# wrong password
$ kinit test1
test1@UTOTEST235WIN.TEST's Password: 
kinit: Password incorrect

# correct password
$ kinit test1
test1@UTOTEST235WIN.TEST's Password: 
Password has expired
Your password/account will expire at Thu Jan  1 01:00:00 1970
Changing password
New password:

I don't see this "Password has expired" when I logon to a Windows AD.