Account lockout support in Solaris 10 when authenticating against Kerberos

Douglas E. Engert deengert at anl.gov
Tue Dec 11 09:28:16 EST 2007



Yu, Ming wrote:
> Hi! Doug,
>  
>   So your point is that the account lockout feature is really not part 
> of Kerberos, but part of Solaris?


As Nico points out there is the lockout when the user enters the wrong
password too many times in a row. Helps avoid guessing attacks. The KDC would
do that, and could be part of the authentication process. We use Windows AD
as the KDC, and it can lockout principals (i.e. won't issue a ticket) after N number
of wrong guesses.

And as I was pointing out, you can lockout an "account" as part of an
authorization process, by using the *LK* in /etc/passwd, NIS or LDAP (nss-ldap).
This can be done on a per host basis, or an NIS, LDAP domain basis.
The *LK* works on linux too.

>  
>   Because /etc/password is really the file where Solaris user accounts' 
> passwords are stored.

Yes and no. An entry in /etc/passwrd, NIS or LDAP is a combination of
authentication data: (user and password) and authorization data:
(user, (password != *LK*)) and meta data: (user, uid, gid, home, shell).

Kerberos authentication does not uses the passwd file for authenticaiton,
later parts of the login process do use it for authorization.

(Kerberos KDCs can use LDAP to store its authorization data, but this
can be seperate from the LDAP storing passwd, NIS type data.)

So what do *you* mean by "Account lockout support in Solaris 10",
and what part of Solaris 10 do you see as lacking?

>  
>   Please clarify.
>  
>   Thanks,
>  
>   Ming
> 
> ------------------------------------------------------------------------
> *From:* Douglas E. Engert [mailto:deengert at anl.gov]
> *Sent:* Mon 12/10/2007 6:11 PM
> *To:* Yu, Ming
> *Cc:* kerberos at mit.edu
> *Subject:* Re: Account lockout support in Solaris 10 when authenticating 
> against Kerberos
> 
> 
> 
> Yu, Ming wrote:
>  > Hi! Guys,
>  >
>  > 
>  >
>  >                We are trying to authenticate users against Kerberos on
>  > Solaris 10.
>  >
>  > 
>  >
>  >                I found that MIT Kerberos does not support account
>  > lockout and/or inactive account lockout features.
>  >
>  > 
>  >
>  >                Does anybody know how to implement account lockout
>  > features on Solaris 10 when the user authenticates against Kerberos?
>  >
>  > 
> 
> See "man shadow".  /etc/passwd, NIS or LDAP can have *LK* to indicate
> it is locked. I think it is the pam_unix_account that checks for this.
> For a Kerberos account without a local password use something like NP
> for the password.
> 
> 
>  >
>  >                Since without account lockout support, it would be an
>  > acceptable security risk for our customers.
>  >
>  > 
>  >
>  >                Thanks,
>  >
>  > 
>  >
>  >                Ming
>  >
>  > 
>  >
>  >               
>  >
>  > 
>  >
>  > 
>  >
>  >
>  >
>  > DISCLAIMER:
>  > Important Notice *************************************************
>  > This e-mail may contain information that is confidential, privileged 
> or otherwise protected from disclosure. If you are not an intended 
> recipient of this e-mail, do not duplicate or redistribute it by any 
> means. Please delete it and any attachments and notify the sender that 
> you have received it in error. Unintended recipients are prohibited from 
> taking action on the basis of information in this e-mail.E-mail messages 
> may contain computer viruses or other defects, may not be accurately 
> replicated on other systems, or may be intercepted, deleted or 
> interfered with without the knowledge of the sender or the intended 
> recipient. If you are not comfortable with the risks associated with 
> e-mail messages, you may decide not to use e-mail to communicate with 
> IPC. IPC reserves the right, to the extent and under circumstances 
> permitted by applicable law, to retain, monitor and intercept e-mail 
> messages to and from its systems.
>  > ________________________________________________
>  > Kerberos mailing list           Kerberos at mit.edu
>  > https://mailman.mit.edu/mailman/listinfo/kerberos
>  >
>  >
> 
> --
> 
>   Douglas E. Engert  <DEEngert at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
> 
> DISCLAIMER:
> Important Notice *************************************************
> This e-mail may contain information that is confidential, privileged or 
> otherwise protected from disclosure. If you are not an intended 
> recipient of this e-mail, do not duplicate or redistribute it by any 
> means. Please delete it and any attachments and notify the sender that 
> you have received it in error. Unintended recipients are prohibited from 
> taking action on the basis of information in this e-mail.E-mail messages 
> may contain computer viruses or other defects, may not be accurately 
> replicated on other systems, or may be intercepted, deleted or 
> interfered with without the knowledge of the sender or the intended 
> recipient. If you are not comfortable with the risks associated with 
> e-mail messages, you may decide not to use e-mail to communicate with 
> IPC. IPC reserves the right, to the extent and under circumstances 
> permitted by applicable law, to retain, monitor and intercept e-mail 
> messages to and from its systems.
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list