Proxy for Kerberos?
John Hascall
john at iastate.edu
Fri Jul 28 21:31:09 EDT 2006
> Some KDCs are configured to enforce account lockouts on successive
> AS_REQ failures. Exposing your KDC to the internet means you are
> willing to let your users get DOSed via this mechanism by yet another
> community of users (or bots, if there are any out there).
BTW, it is a rather simple code-mod to change the MIT KDC
to automatically re-enable locked out accounts after your
choice of interval. We chose 60 seconds -- we figure that
allowing 7200 (5 * 60 * 24) attempts/day at a password is a
whole lot better than 103,680,000 (1200/sec * 60 * 60 * 24).
And a minute's wait after 5 mistakes has so far not been
seen as too onerous a price to pay for our users (certainly
it's a lot quicker than calling the help desk).
John
More information about the krbdev
mailing list