Hello,
I would like to compare a String to the password of the currently authenticated user (encrypted keys comparison). It seems like retrieving password from the ticket cache but how can I do that?
Thank you
Hello,
I would like to compare a String to the password of the currently authenticated user (encrypted keys comparison). It seems like retrieving password from the ticket cache but how can I do that?
Thank you
I don't know if that's intended to be possible. That hash may be salted with a key known only to the server. What I'd try instead is to just authenticate using the user's id and the given String. If the server accepts the authentication request, the password was valid.
It is not possible to retrieve the password from information that are available on the client or anywhere in a kerberos system. According to the kerberos article in wikipedia (which holds similar information to what I read at other sources) the user entered password is hashed with a one-way function into something that serves as the secret from this point on. The secret is available at the key distribution center (KDC) and the ticket granting ticket (TGT) is symmetrically encrypted with this secret. To receive and use the TGT, a client has to provide the secret to decrypt the package - which is done by asking for the password from the user. After doing so, the TGT is decrypted and is saved in the ticket cache.
The TGT itself has parts encrypted with a secret only the kdc knows, it does not hold the password of the user. As, for example, this article from 2000 explains, the password is not stored in the ticket cache either - just parts from the TGT. From my understanding it is not possible, to check the user password using the ticket cache.
You might want to write your own CallbackHandler
to somehow reuse or provide the credentials programmatically, but from my understanding this might lead to security problems.
You might want to think about solving your problem with a total different approach, but there is to little information to suggest any other solution.
Thank you MaoPU for this great answer. Effectively, it seams to be impossible to retrieve the user password from Kerberos database. In order to avoid security leaks, I'll rather call a shell script that executes password check and change.