Kerberos lockout after X failed tgs/tgt attempts
Paul M Fleming
pfleming at siumed.edu
Mon Sep 13 17:04:21 EDT 2004
Has anyone implemented Kerberos id lockouts after X invalid TGS/TGT
attempts? (obviously PREAUTH has to be enabled). I see reference on the
list to folks parsing the logs to do this function. I also found several
references to using the built-in untested MIT code to update the db on
fails. The MIT code has several issues that are making me lean toward
implementing some custom code to implement lockout after X fails and
auto unlock after some configurable time interval. I'm still not sure
how I'm going to handle the master/slave - distributed db issues
Any comments or ideas would be welcome. I'm currently working on a
design for a lockout daemon unless I find a better solution.
Thanks
Paul Fleming
SIU School of Medicine
Springfield IL
More information about the Kerberos
mailing list