New "feature" for Kerberos?

Matt Crawford crawdad at
Mon Nov 11 09:51:01 EST 2002

> The University Auditors seem to be chomping at the bit for
> some sort of N-strikes-and-you're-out feature.
> Before I start:
>  - is this stupid and I should resist harder?

It only makes sense if you can see an appreciable chance that
passwords can be guessed.  If you impose a length & diversity
requirement and the cracklib dictionary test, and you require
password changes regularly, this risk is minimal.  (Only someone
who shoulder-surfed most of a password would be able to guess.
Someone who sniffed keystrokes would have the whole thing

It goes without saying, I hope, that if you don't require
preauthentication for all user principals, you are wide open to
an offline password guesser no matter what else you do!  But if
you have a sniffer who captures an AS_REP, you're currently still
vulnerable to offline guessers.

And of course, if you have multiple KDCs, a guesser can direct
successive guesses to different ones, making your implementation

>    if (checkPassword(princ, pass) == OK) {
>       princ.failed_cnt = 0;
>    } else {
>       princ.failed_cnt++;

Be sure to distinguish clock skew from wrong key.

More information about the krbdev mailing list