Account lockout support in Solaris 10 when authenticating againstKerberos

Nicolas Williams Nicolas.Williams at sun.com
Tue Dec 11 09:55:09 EST 2007


On Tue, Dec 11, 2007 at 08:35:07AM -0600, Douglas E. Engert wrote:
> But using PAM to lockout a user, is per machine.
> If you are trying to avoid password guesses, the user could
> try another machine, and get another N guesses. Better then
> nothing, but maybe not what you really want.
> 
> As Russ points out below, maybe some intrusion detection system
> might also be in order, with PAM notifying the IDS.

Then compromised clients can DoS your whole domain.  But then, if you're
implementing an N-strikes-you're-locked policy then they could anyways
(which is why account lockout after N failed logins is a bad idea,
particularly if you don't unlock the account automatically after a short
period of time).

Slowing down folks who are trying to guess passwords is a good thing.
Letting them lock out all your user accounts is not.  The folks in
charge of writing corporate security policies need to take this into
account.  N-strikes-you're-locked is bad.  N-strikes-we-slow-you-down is
good.

Nico
-- 



More information about the Kerberos mailing list