New "feature" for Kerberos?

Morrison, Wayne Wayne.Morrison at
Mon Nov 11 12:39:01 EST 2002

You might want to look at how the OpenVMS operating system does
this today.  There are several SYSGEN (system) parameters that
control how what you've called the "N-strikes-and-you're-out feature"
works.  One turns the functionality on/off, one sets the number
of "strikes", one sets the number of seconds that evasive action
persists after each failure, and one sets the length of time that
a failure will lock out a user.  There is even one to that allows
you to permanently lock out an account on failure, if you need
to do something that drastic.

Documentation about this can be found in the Guide to System Security,
at the following web site:

	Wayne Morrison
	Kerberos Project Leader
	OpenVMS Security Group

-----Original Message-----
From: John Hascall [mailto:john at] 
Sent: Saturday, November 09, 2002 10:59 AM
To: krbdev at
Subject: New "feature" for Kerberos?

The University Auditors seem to be chomping at the bit for
some sort of N-strikes-and-you're-out feature.  In my opinion,
the only way this makes any sense is if it auto-re-enables
after some period of time (I sure don't want to do a whole
bunch by hand).

Before I start:
 - is this stupid and I should resist harder?
 - is anybody else working on something like this?
 - does my plan (below) seem a reasonable approach?
 - what are the odds of getting such a mod into the
   std dist so I don't have to keep refitting it?


<code snipped>

More information about the krbdev mailing list