bad counting of failed preauths
Sam Hartman
hartmans at MIT.EDU
Wed Jul 3 12:39:55 EDT 2002
>>>>> "MARTAK,PAVEL" == MARTAK,PAVEL (HP-Czechia,ex1) <pavel_martak at hp.com> writes:
MARTAK,PAVEL> It seems that in realm without slave KDC's, with
MARTAK,PAVEL> preauth and KDC_KDB_UPDATE on, is not going
MARTAK,PAVEL> setting/countig/checking of number of failed
MARTAK,PAVEL> preauth's. This lead to user locking after 1/2 of
MARTAK,PAVEL> MAXIMUM_FAILED_COUNTS.
You could certainly generate (and submit) a patch that determined
whether there were multiple KDCs and didn't try the second attempt if
there was only one KDC.
You could also double the max number of logins allowed, but doing so
would give attackers an advantage as they are not required to use
clients that will try both requests.
In a realm with slaves and without some database consistency protocol
between the slaves, the fall back to master is important.
P.S> I'm amazed the database update code actually works.
--Sam
More information about the Kerberos
mailing list