Account lockout support in Solaris 10 when authenticating against Kerberos

Russ Allbery rra at stanford.edu
Mon Dec 10 20:45:49 EST 2007


"Yu, Ming" <Ming.Yu at ipc.com> writes:

>   But I am still not clear how to "lock out" account after n-times of
>   failed login.
>  
>   Are you saying there is no way to do it in current version of MIT
>   kerberos?

Right, there's no way to do it at a Kerberos level.  There are various
things that you can do within the service that's authenticating, but it
may require development on your part.  (For example, if you're
authenticating the user via PAM, you could store the PAM failure count
somewhere and reject logins to that user once the failures reach a
particular threshold, something you could do without modifying anything
about how Kerberos works.)

Converting a failed authentication compromise into a denial of service
attack is generally a stupid idea, IMO.  Far better to start rejecting
packets from a host that's apparently trying to do a dictionary attack.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list