Kerberos User Stats never get updated
Ken Raeburn
raeburn at MIT.EDU
Tue Jun 16 07:56:55 EDT 2009
On Jun 16, 2009, at 07:24, Matthew.GARRETT at external.total.com wrote:
> Using MIT Kerberos Server on a RedHat Linux Server
> The following stats never seem to get updated
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
The KDC normally doesn't even get such information, but with
preauthentication in use it may be possible to figure it out.
However, the KDC is also normally built to access the database in read-
only fashion, so it doesn't actually update these fields even if the
information is available. Third, even if the KDC is rebuilt with the
options to make it update the database (and I'm not 100% sure if it
still compiles in that mode), at least in the db2-based database
implementation, the statistics from the master server would be pushed
out to the slaves with the rest of the database info, and the
statistics from the slaves would simply be discarded; the LDAP-based
database would better support updates from both master and slaves, but
with a race condition (two KDCs could try incrementing the failed-
attempt counter simultaneously by both reading the old value at the
same time, and then both writing the incremented value, causing one
increment to be lost).
So, in short, the current implementation doesn't really support these
fields well at all.
--
Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium
More information about the Kerberos
mailing list