Account-Loccking on Master-KDC
Friedbert Müller
frd_mueller at web.de
Fri May 12 11:04:40 EDT 2006
As far as I understand, in a standard master slave configuration, no information about authentication failures on a slave is passed on to the master kdc. Only if the master_kdc attribute in the krb5.conf file is used, the client will execute an authentication to the master if it fails in a slave sserver.
This feature is not supported by the Kerberos implementation in JDk 1.4.2.
So, if an attacker tries to guess an accounts password and authenticate to a slave, a resulting account lock will be overwritten by the next replication. Is there a method within the MIT Implemetation to transfer the information about failed authentications from slaves to the master resulting in an account-lock on all KDCs? Besides that, we would also like to make information about the last successful authentication accessible on the master.
Thanks
Fred
_______________________________________________________________
SMS schreiben mit WEB.DE FreeMail - einfach, schnell und
kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192
More information about the Kerberos
mailing list