Last Successful Login always equals "never"

John Hascall john at
Fri Apr 18 12:48:39 EDT 2008

> pachl wrote:
> > When running ``kadmin get <principle>`` for any principle, the "Last
> > successful login" and the "Last failed login" lines always equal
> > "never." What does the "Last successful login" line mean? Where and
> > how would I have to login to change the status of this line from
> > "never"?
> >
> > I have used kinit from from several machines and have also used the
> > system login at the console, which exclusively uses kerberosV (local
> > password file is disabled).
> >
> > All my machines in the Kerberos realm are OpenBSD 4.1 and use Heimdal
> > 0.7.2.

> We have the same problem here with Debian and MIT Kerberos Version 5,
> Release 1.6.3 (installed from Debian packages).  All our principals
> require pre-auth.  We haven't spent any time debugging it, but if
> there's a simple solution, we'd love to know it.

By default the MIT KDC operates in ReadOnly mode
which means that it will never update these fields:

Last successful authentication: Fri Apr 18 08:07:13 CDT 2008
Last failed authentication: Thu Apr 17 14:38:29 CDT 2008
Failed password attempts: 0

to get it do so so, you need to rebuild the KDC from source
using the "--with-kdc-kdb-update" option when you run configure.
In the past, some  MIT folks have made dire statements about how
this code is untested and unsafe and blah blah blah, but we've
been doing it for years.

Note that doing so will turn on a hardcoded! 5-strikes and an
principal is disabled 'feature' which provides an attacker a
nice DoS attack vector.  We modified our KDC to re-enable
the principal after a minute.  YMMV.


More information about the Kerberos mailing list