Kerberos Lockout Policies.

Dennis Davis D.H.Davis at bath.ac.uk
Thu Nov 3 07:45:16 EDT 2011


I've been looking at:

http://k5wiki.kerberos.org/wiki/Projects/Lockout

which now seems available with recent versions of Kerberos.

I'm aware that there are disadvantage to using this facility.
Attempting to brute-force the password for a Kerberos principal can
be used as a denial of service attack.

But has anyone set up and is using Kerberos policies that use the
lockout facility?  If so, could you give some indication of your
settings (pw_max_fail, pw_failcnt_interval, pw_lockout_duration) and
your experience with this facility?

Feel free to email me directly if the details are considered
sensitive.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at bath.ac.uk               Phone: +44 1225 386101



More information about the Kerberos mailing list