Account lockout support in Solaris 10 when authenticating against Kerberos

Douglas E. Engert deengert at anl.gov
Tue Dec 11 09:58:28 EST 2007



Nicolas Williams wrote:
> On Mon, Dec 10, 2007 at 08:32:57PM -0500, Yu, Ming wrote:
>>   But I am still not clear how to "lock out" account after n-times of
>>   failed login.
>>  
>>   Are you saying there is no way to do it in current version of MIT
>>   kerberos?
> 
> I'm saying that the MIT and Solaris KDCs do not support that feature.
> 
> BUT, you can write a script to "scrape" (i.e., tail) the KDC log files,
> keep a per-principal count of failed logins, and disable principals with
> too many consecutive failed logins.
> 
> Doug's comment about /etc/passwd was about how you might lock out an
> account that you know you want to lock out, but Doug should really have
> told you to either disable the principal[*] or to use the passwd(1)
> command with the -l option.

I said we use Windows AD for the KDCs and it does lockout a principal after
N attempts, and can unlock them after M minutes too. So this has not been
an issue for us.

> 
> [*]  Disabling the principal will cause the account to be locked IF AND
>      ONLY IF Kerberos V is the only way to authenticate the account
>      (e.g., because the passwd field of the account is "NP", as Doug
>      suggests).
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list