kerberos blacklisting

Rich Frobose frobose at
Tue Oct 5 19:14:45 EDT 2004

I would like to know if the MIT KDC supports black listing (i.e. not issuing
tickets for a principal after a set number of password failures.)  If it does
not, has anyone implemented extensions to provide that feature?

I have a second question that relates to this issue but is not just confined
to black listing.

I realize that preauthentication must be enabled for the KDC to "know"
about a password/authentication failure.  I have done that.  I then used
kadmin to do "getprinc" so that I could see information about a given 
principal.  The reply
to "getpric <NAME>" included the following lines (for a principal
that is definitely using preauthentication):
   Last successful authentication: [never]
   Last failed authentication: [never]
   Failed password attempts: 0
This tells me that these fields are not being reported properly.  I had
previously authenticated as this principal and have had failures.

Question: Why are these fields not getting updated and reported properly?

Thanks for the help.
Richard Frobose

More information about the Kerberos mailing list