account lockout after n failed password attempts
Greg Hudson
ghudson at MIT.EDU
Sat Dec 12 23:36:12 EST 2009
On Sat, 2009-12-12 at 15:53 -0500, Steve Glasser wrote:
> I was wondering if account lockout after n failed password attempts
> was ever successfully implemented with MIT Kerberos?
It has been implemented for 1.8, which is currently scheduled for
release in early March 2010. There is more information at:
http://k5wiki.kerberos.org/wiki/Projects/Lockout
Due to the way the Kerberos protocol works, account lockout can only
work for principals which require pre-authentication.
> I know this was discussed several years ago (see:
> http://mailman.mit.edu/pipermail/kerberos/2007-December/012705.html).
> I haven't seen any responses more current than that. It looks like
> an inherent design problem because with multiple kdc servers there is
> no way to keep a centralized count of failed login attempts.
Our implementation does not synchronize lockout state between KDCs. If
you have N slaves KDCs, the attacker will get N times as many attempts
before being locked out on all of them.
> Btw, does anyone know how Microsoft got around this problem (assuming
> they did so), as they do offer account lockout after n failed login
> attempts?
My best understanding is that Microsoft does not synchronize the number
of failed attempts between KDCs, but (unlike our implementation) does
lock a user out on all KDCs if a user triggers the lockout conditions on
one of them. I'm not 100% certain of this, however.
More information about the Kerberos
mailing list