-
Story
-
Resolution: Won't Do
-
Minor
-
None
-
None
-
None
-
Minor
-
sst_idm_ipa
-
ssg_idm
When doing an incorrect authentication to IPA Web UI, the error differs if the username exists or not.
Request from an existing account:
kinit: Password incorrect while getting initial credentials
Request from a non-existent account:
kinit: Client 'user@EXAMPLE.NET' not found in Kerberos database while getting initial credentials
An attacker could use this to find out valid login names and use them in brute force attacks or check them against published passwords dumps.
The request is to have IPA Web UI substitute this kinit errors for something less explicit, like per example "login failure, check your username and password". As some customers will prefer to maintain the current behaviour, this could be made a configuration option.
This is intended to only affect the "HTTP/1.1 401 Unauthorized" error message, not the internal logging.