Proxy for Kerberos?

Jeffrey Altman jaltman at
Sat Jul 29 10:09:58 EDT 2006

Cesar Garcia wrote:
> I've been away from the MIT and Heimdal KDC implementations for some
> time, but for installations with [lots of] slaves, would both of these
> features (lockout and unlock) sufficiently frequent replication, of at
> least those bit of the kdb, in both directions (master <=> slaves) to
> be all that effectivep?
> I guess that's a rhetorical question, so I guess what I'm really
> asking is how does MIT/Heimdal handle replicating this data at
> sufficiently frequent intervals?

Replication is not the desired semantic for this information.  You don't
want to overwrite the previous values such as "last attempt" and "number
of attempts".  Instead, periodically you want each server to broadcast
its list of applicable attempts for those principals that were accessed
since the most recent broadcast.  The receivers of the updates need to
merge the data to construct its current view of the world for that

Right now there is nothing like this for MIT's code base.

Note that even if there is an accurate means of synchronizing this
information that there is not a one to one relationship between a user
entering her principal and password and a request being sent to a KDC.
Today's clients frequently make multiple requests to one or more KDCs
so even when you have a multi-master configuration such as Active
Directory setting a policy of "three login attempts before lockout"
will not provide the behavior that administrators anticipate.

Given the public nature of the service and the protocol interactions
lockout is probably not the best choice of policy.  Instead, a reduction
in KDC performance as John describes is preferable for most environments.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list