Account lockout support in Solaris 10 when authenticating against Kerberos

Nicolas Williams Nicolas.Williams at sun.com
Tue Dec 11 09:50:18 EST 2007


On Mon, Dec 10, 2007 at 08:32:57PM -0500, Yu, Ming wrote:
>   But I am still not clear how to "lock out" account after n-times of
>   failed login.
>  
>   Are you saying there is no way to do it in current version of MIT
>   kerberos?

I'm saying that the MIT and Solaris KDCs do not support that feature.

BUT, you can write a script to "scrape" (i.e., tail) the KDC log files,
keep a per-principal count of failed logins, and disable principals with
too many consecutive failed logins.

Doug's comment about /etc/passwd was about how you might lock out an
account that you know you want to lock out, but Doug should really have
told you to either disable the principal[*] or to use the passwd(1)
command with the -l option.

[*]  Disabling the principal will cause the account to be locked IF AND
     ONLY IF Kerberos V is the only way to authenticate the account
     (e.g., because the passwd field of the account is "NP", as Doug
     suggests).



More information about the Kerberos mailing list