KDC performance test - lookaside cache impact, testing framework

[Nico Williams]

+1 to Sam's concerns about KDC affinity in pre-auth methods.

A better answer would be that OTP servers should handle the potential
for Kerberos-related repeat attempts without causing lockout.  In a
way this is very much related to the N-strikes-you're-locked issue
we've discussed on krb-wg, which brings me to: ideally password
guessing attacks should be dealt with in some way that is better than
N-strikes-you're-locked, and my proposal for that is:

 - better, plant-wide heuristics for detecting password guessing
   attacks combined with
    - either temporary user account locking or, better, bringing
      forward the user's password expiration date

 - throttling authentication for users

Better heuristics to me means: a) looking for high rates of failed
pre-authentication from one or a small number of clients regardless of
the actual user principal, b) looking for out of the ordinary
pre-authentication activity based on historical data (i.e., more than
1.5 or 2 standard deviations from the average for the given time of
the day), c) more pre-authentication activity (across all KDCs for the
given realm) for one user from one client than can be expected given a
user typoing their password N times in a row.

Can we get this?  from third party OTP servers?  Well, it'd not hurt
to ask the vendors in question... but the answer is probably "no".

Nico
--