Last Successful Login always equals "never"

John Hascall john at
Fri Apr 18 15:24:11 EDT 2008

> On Apr 18, 2008, at 12:48, John Hascall wrote:
> > Note that doing so will turn on a hardcoded! 5-strikes and an
> > principal is disabled 'feature' which provides an attacker a
> > nice DoS attack vector.  We modified our KDC to re-enable
> > the principal after a minute.  YMMV.
> Feel like contributing a patch?
> I don't think we can just make the functionality change without  
> discussion, but if it's configurable, or the compiled-in default  
> interval is something so unreasonably large as to approximate the  
> existing behavior (unless one makes what could be a very small change  
> to the source), the functionality change shouldn't be much of an  
> issue.  Especially if it continues not to be compiled in by default.   
> Which is also something we could consider changing, especially with a  
> patch that leaves the default behavior as is -- no recording, database  
> open read-only -- in case anyone is thinking of contributing such a  
> thing....

I can certainly make my diffs available, BUT it is not
possible to do this right without major changes because
the right way to do it would be in the POLICY, but unlike
the principal DB (tl_data) there is no extension method
for the policy db :(

That is:
   mod_policy -strikes 5 -reenable "5m"        == good

#ifdef KRBCONF_KDC_RESET_FAILURE               == kinda ickey
    ... code blobs which abuse client.fail_auth_count ...


More information about the Kerberos mailing list