New "feature" for Kerberos?
Matt Crawford
crawdad at fnal.gov
Mon Nov 11 09:51:01 EST 2002
> The University Auditors seem to be chomping at the bit for
> some sort of N-strikes-and-you're-out feature.
>
> Before I start:
> - is this stupid and I should resist harder?
It only makes sense if you can see an appreciable chance that
passwords can be guessed. If you impose a length & diversity
requirement and the cracklib dictionary test, and you require
password changes regularly, this risk is minimal. (Only someone
who shoulder-surfed most of a password would be able to guess.
Someone who sniffed keystrokes would have the whole thing
already.)
It goes without saying, I hope, that if you don't require
preauthentication for all user principals, you are wide open to
an offline password guesser no matter what else you do! But if
you have a sniffer who captures an AS_REP, you're currently still
vulnerable to offline guessers.
And of course, if you have multiple KDCs, a guesser can direct
successive guesses to different ones, making your implementation
harder.
> if (checkPassword(princ, pass) == OK) {
> princ.failed_cnt = 0;
> } else {
> princ.failed_cnt++;
Be sure to distinguish clock skew from wrong key.
More information about the krbdev
mailing list