Last Successful Login always equals "never"

Ken Raeburn raeburn at MIT.EDU
Fri Apr 18 14:22:03 EDT 2008


On Apr 18, 2008, at 12:48, John Hascall wrote:
> In the past, some  MIT folks have made dire statements about how
> this code is untested and unsafe and blah blah blah,

Sounds familiar. :-)

> Note that doing so will turn on a hardcoded! 5-strikes and an
> principal is disabled 'feature' which provides an attacker a
> nice DoS attack vector.  We modified our KDC to re-enable
> the principal after a minute.  YMMV.

Feel like contributing a patch?

I don't think we can just make the functionality change without  
discussion, but if it's configurable, or the compiled-in default  
interval is something so unreasonably large as to approximate the  
existing behavior (unless one makes what could be a very small change  
to the source), the functionality change shouldn't be much of an  
issue.  Especially if it continues not to be compiled in by default.   
Which is also something we could consider changing, especially with a  
patch that leaves the default behavior as is -- no recording, database  
open read-only -- in case anyone is thinking of contributing such a  
thing....

Ken



More information about the Kerberos mailing list