Last Successful Login always equals "never"
John Hascall
john at iastate.edu
Fri Apr 18 15:35:00 EDT 2008
> On Apr 18, 2008, at 12:48, John Hascall wrote:
> > Note that doing so will turn on a hardcoded! 5-strikes and an
> > principal is disabled 'feature' which provides an attacker a
> > nice DoS attack vector. We modified our KDC to re-enable
> > the principal after a minute. YMMV.
>
> Feel like contributing a patch?
Here's my copy of kdc/do_as_req.c
http://john.public.iastate.edu/public/kerberos/do_as_req.c
There are other mods in there, so making a specfic patch
is problematic, but this code is in KRBCONF_KDC_RESET_FAILURE
ifdef blocks so it shouldn't be hard to find.
Because I had to abuse existing variables so as to maintain
DB compatibility, there is a quirk that you can't specifically
do 'modprinc -allow_tix' without also reseting 'fail_auth_count'
to zero.
John
More information about the Kerberos
mailing list