mechanisms for restricting/throttling kerberos transactions

Albert Lunde Albert-Lunde at northwestern.edu
Thu Nov 4 12:40:12 EST 2004


I'd like to know what mechanisms may exist for restricting kerberos
transactions.

I'm interested in:

1) restricting by source domain/IP
2) rate-limiting for a given source IP
3) denying access to IPs with a large number of failures
  (with whitelist exceptions for known/trusted servers)

I'm interested in both generic MIT-compatible kerberos and kerberos using
Active Directory.

Our first concern is with limiting the scope of password-guessing attacks,
though there are probably some other applications.

(We are moving away from direct use of Kerberos on the desktop, and mainly
using it in server-to-server transactions, with SSL for the last hop. This
makes IP restriction conceivable, though I'm not sure how much it will help
us, or if it's feasible in the software and protocols involved. If we adopt
a WebISO system based on Kerberos, things might change.)

-- 
     Albert Lunde         Albert-Lunde at northwestern.edu (new address)
                          Albert-Lunde at nwu.edu (old address)



More information about the Kerberos mailing list