Last Successful Login always equals "never"
john at iastate.edu
Fri Apr 18 15:35:00 EDT 2008
> On Apr 18, 2008, at 12:48, John Hascall wrote:
> > Note that doing so will turn on a hardcoded! 5-strikes and an
> > principal is disabled 'feature' which provides an attacker a
> > nice DoS attack vector. We modified our KDC to re-enable
> > the principal after a minute. YMMV.
> Feel like contributing a patch?
Here's my copy of kdc/do_as_req.c
There are other mods in there, so making a specfic patch
is problematic, but this code is in KRBCONF_KDC_RESET_FAILURE
ifdef blocks so it shouldn't be hard to find.
Because I had to abuse existing variables so as to maintain
DB compatibility, there is a quirk that you can't specifically
do 'modprinc -allow_tix' without also reseting 'fail_auth_count'
More information about the Kerberos