kerberos blacklisting
Rich Frobose
frobose at llnl.gov
Tue Oct 5 19:14:45 EDT 2004
I would like to know if the MIT KDC supports black listing (i.e. not issuing
tickets for a principal after a set number of password failures.) If it does
not, has anyone implemented extensions to provide that feature?
I have a second question that relates to this issue but is not just confined
to black listing.
I realize that preauthentication must be enabled for the KDC to "know"
about a password/authentication failure. I have done that. I then used
kadmin to do "getprinc" so that I could see information about a given
principal. The reply
to "getpric <NAME>" included the following lines (for a principal
that is definitely using preauthentication):
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
This tells me that these fields are not being reported properly. I had
previously authenticated as this principal and have had failures.
Question: Why are these fields not getting updated and reported properly?
Thanks for the help.
Richard Frobose
More information about the Kerberos
mailing list