Proxy for Kerberos?
jaltman at secure-endpoints.com
Sat Jul 29 10:09:58 EDT 2006
Cesar Garcia wrote:
> I've been away from the MIT and Heimdal KDC implementations for some
> time, but for installations with [lots of] slaves, would both of these
> features (lockout and unlock) sufficiently frequent replication, of at
> least those bit of the kdb, in both directions (master <=> slaves) to
> be all that effectivep?
> I guess that's a rhetorical question, so I guess what I'm really
> asking is how does MIT/Heimdal handle replicating this data at
> sufficiently frequent intervals?
Replication is not the desired semantic for this information. You don't
want to overwrite the previous values such as "last attempt" and "number
of attempts". Instead, periodically you want each server to broadcast
its list of applicable attempts for those principals that were accessed
since the most recent broadcast. The receivers of the updates need to
merge the data to construct its current view of the world for that
Right now there is nothing like this for MIT's code base.
Note that even if there is an accurate means of synchronizing this
information that there is not a one to one relationship between a user
entering her principal and password and a request being sent to a KDC.
Today's clients frequently make multiple requests to one or more KDCs
so even when you have a multi-master configuration such as Active
Directory setting a policy of "three login attempts before lockout"
will not provide the behavior that administrators anticipate.
Given the public nature of the service and the protocol interactions
lockout is probably not the best choice of policy. Instead, a reduction
in KDC performance as John describes is preferable for most environments.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20060729/ecddd042/attachment.bin
More information about the krbdev