Failed authentication attempts, lockouts and old passwords

Greg Hudson ghudson at
Tue Dec 16 10:47:36 EST 2014

On 12/16/2014 10:31 AM, Kenneth MacDonald wrote:
> I've been asked if it would be possible for the MIT krb5 KDC not to
> increment the failed authentication count (and presumably the time) when
> one of the older passwords was used.  I know such behaviour is not
> documented.
> I'm wondering whether the old keys stored in the database are suitable
> for attempting such a dummy authentication against.

We don't currently implement this.  The historical keys are suitable for
checking, so nothing really prevents the KDC from doing it.

There is an unfortunate complication: for no particularly good reason,
historical keys are encrypted in a "history key" (referenced by
kadmin/history) instead of in the master key.  So the KDC would have to
keep around the history key (and refresh it on decryption failure in
case the cached copy is stale) in order to get at the historical keys.

It's possible that we would decide to transition to encrypting history
keys in the master key
( as a prerequisite
for implementing this feature upstream.

More information about the Kerberos mailing list