Last Successful Login always equals "never"
Ken Raeburn
raeburn at MIT.EDU
Fri Apr 18 14:22:03 EDT 2008
On Apr 18, 2008, at 12:48, John Hascall wrote:
> In the past, some MIT folks have made dire statements about how
> this code is untested and unsafe and blah blah blah,
Sounds familiar. :-)
> Note that doing so will turn on a hardcoded! 5-strikes and an
> principal is disabled 'feature' which provides an attacker a
> nice DoS attack vector. We modified our KDC to re-enable
> the principal after a minute. YMMV.
Feel like contributing a patch?
I don't think we can just make the functionality change without
discussion, but if it's configurable, or the compiled-in default
interval is something so unreasonably large as to approximate the
existing behavior (unless one makes what could be a very small change
to the source), the functionality change shouldn't be much of an
issue. Especially if it continues not to be compiled in by default.
Which is also something we could consider changing, especially with a
patch that leaves the default behavior as is -- no recording, database
open read-only -- in case anyone is thinking of contributing such a
thing....
Ken
More information about the Kerberos
mailing list