Brian <brianslist at apple.com> writes:
> I need to set a password lockout scheme , such that on a configured
> entry the KDC should limit the number of password attempts , I did not
> find any explicit settings on policies as well as principal add/modify
> commands , Is this parameter settable ? . I also went through the
> source code and found this at do_as_req.c
Well, I guess it depends what kind of lockout scheme you want. There
are certainly some policies you can set easily. There are a number
of protocol policies available, but that doesn't imply the implementation
supports all those policies.
> #ifdef KRBCONF_KDC_MODIFIES_KDB
> /*
> * Note: this doesn't work if you're using slave servers!!!
> * It also causes the database to be modified (and thus
> * need to be locked) frequently.
> */
> if (client.fail_auth_count < KRB5_MAX_FAIL_COUNT) {
> client.fail_auth_count = client.fail_auth_count + 1;
> if (client.fail_auth_count == KRB5_MAX_FAIL_COUNT) {
> client.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
> }
> }
> client.last_failed = kdc_time;
> update_client = 1;
> #endif
>
>
> Under what condition does KRBCONF_KDC_MODIFIES_KDB gets enabled
It's a compile-time configure option.
> Thanks
>
> Nirmalan
-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant