Account lockout support in Solaris 10 when authenticating againstKerberos

[Theodore Tso]

On Tue, Dec 11, 2007 at 10:57:51AM -0800, Russ Allbery wrote:
> 
> This is one of those "features" that keeps showing up in commercial
> products because it made it into some management checklist, 

Not just any mindless management checklist, but various government
checklists, such as NISPOM ch. 5 (which is a requirement for systems
that contain U.S. government classified information).

So in addition to the traditional reasons why this feature has never
shown up in MIT Kerberos:

* Can actually do more harm than good by creating a trivially
  easy attack vector

* Hard to do 100% right in the presence of slave KDC's (which would
  now have to keep state and all KDC's would need a mechanism to
  propagate said state to all of the other KDC's).

There's one additional twist:

* Many of the sites that need this feature are so paranoid that having a
  vendor supply a binary which can NOT be independently audited is
  easier to get past the security folks than some open source package
  since if source is available, the security people want the whole
  darned package to be reviewed before allowing it on the classified
  network.

Note that I'm not saying this makes sense; I'm just describing the way
the world works for some interesting subset of Kerberos-using sites.

						- Ted