New "feature" for Kerberos?
Wayne.Morrison at hp.com
Mon Nov 11 12:39:01 EST 2002
You might want to look at how the OpenVMS operating system does
this today. There are several SYSGEN (system) parameters that
control how what you've called the "N-strikes-and-you're-out feature"
works. One turns the functionality on/off, one sets the number
of "strikes", one sets the number of seconds that evasive action
persists after each failure, and one sets the length of time that
a failure will lock out a user. There is even one to that allows
you to permanently lock out an account on failure, if you need
to do something that drastic.
Documentation about this can be found in the Guide to System Security,
at the following web site:
Kerberos Project Leader
OpenVMS Security Group
From: John Hascall [mailto:john at iastate.edu]
Sent: Saturday, November 09, 2002 10:59 AM
To: krbdev at mit.edu
Subject: New "feature" for Kerberos?
The University Auditors seem to be chomping at the bit for
some sort of N-strikes-and-you're-out feature. In my opinion,
the only way this makes any sense is if it auto-re-enables
after some period of time (I sure don't want to do a whole
bunch by hand).
Before I start:
- is this stupid and I should resist harder?
- is anybody else working on something like this?
- does my plan (below) seem a reasonable approach?
- what are the odds of getting such a mod into the
std dist so I don't have to keep refitting it?
More information about the krbdev