Kerberos lockout after X failed tgs/tgt attempts

Paul M Fleming pfleming at
Mon Sep 13 17:04:21 EDT 2004

Has anyone implemented Kerberos id lockouts after X invalid TGS/TGT
attempts? (obviously PREAUTH has to be enabled). I see reference on the
list to folks parsing the logs to do this function. I also found several
references to using the built-in untested MIT code to update the db on
fails. The MIT code has several issues that are making me lean toward
implementing some custom code to implement lockout after X fails and
auto unlock after some configurable time interval. I'm still not sure
how I'm going to handle the master/slave - distributed db issues 

Any comments or ideas would be welcome. I'm currently working on a
design for a lockout daemon unless I find a better solution. 


Paul Fleming
SIU School of Medicine
Springfield IL

More information about the Kerberos mailing list