Account lockout support in Solaris 10 when authenticating againstKerberos
Douglas E. Engert
deengert at anl.gov
Tue Dec 11 09:35:07 EST 2007
Yu, Ming wrote:
> Russ,
>
> Thanks for the help.
>
> That is th info I am looking for.
But using PAM to lockout a user, is per machine.
If you are trying to avoid password guesses, the user could
try another machine, and get another N guesses. Better then
nothing, but maybe not what you really want.
As Russ points out below, maybe some intrusion detection system
might also be in order, with PAM notifying the IDS.
>
> Ming
>
> ----- Original Message -----
> From: kerberos-bounces at mit.edu <kerberos-bounces at mit.edu>
> To: kerberos at mit.edu <kerberos at mit.edu>
> Sent: Mon Dec 10 20:45:49 2007
> Subject: Re: Account lockout support in Solaris 10 when authenticating againstKerberos
>
> "Yu, Ming" <Ming.Yu at ipc.com> writes:
>
>> But I am still not clear how to "lock out" account after n-times of
>> failed login.
>>
>> Are you saying there is no way to do it in current version of MIT
>> kerberos?
>
> Right, there's no way to do it at a Kerberos level. There are various
> things that you can do within the service that's authenticating, but it
> may require development on your part. (For example, if you're
> authenticating the user via PAM, you could store the PAM failure count
> somewhere and reject logins to that user once the failures reach a
> particular threshold, something you could do without modifying anything
> about how Kerberos works.)
>
> Converting a failed authentication compromise into a denial of service
> attack is generally a stupid idea, IMO. Far better to start rejecting
> packets from a host that's apparently trying to do a dictionary attack.
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list