Last Successful Login always equals "never"

John Hascall john at
Fri Apr 18 15:35:00 EDT 2008

> On Apr 18, 2008, at 12:48, John Hascall wrote:
> > Note that doing so will turn on a hardcoded! 5-strikes and an
> > principal is disabled 'feature' which provides an attacker a
> > nice DoS attack vector.  We modified our KDC to re-enable
> > the principal after a minute.  YMMV.
> Feel like contributing a patch?

Here's my copy of kdc/do_as_req.c

There are other mods in there, so making a specfic patch
is problematic, but this code is in KRBCONF_KDC_RESET_FAILURE
ifdef blocks so it shouldn't be hard to find.

Because I had to abuse existing variables so as to maintain
DB compatibility, there is a quirk that you can't specifically
do 'modprinc -allow_tix' without also reseting 'fail_auth_count'
to zero.


More information about the Kerberos mailing list