KDC performance test - lookaside cache impact, testing framework

Dmitri Pal dpal at redhat.com
Thu Jun 21 15:25:10 EDT 2012


On 06/21/2012 01:35 PM, Nico Williams wrote:
> +1 to Sam's concerns about KDC affinity in pre-auth methods.
>
> A better answer would be that OTP servers should handle the potential
> for Kerberos-related repeat attempts without causing lockout.  In a
> way this is very much related to the N-strikes-you're-locked issue
> we've discussed on krb-wg, which brings me to: ideally password
> guessing attacks should be dealt with in some way that is better than
> N-strikes-you're-locked, and my proposal for that is:
>
>  - better, plant-wide heuristics for detecting password guessing
>    attacks combined with
>     - either temporary user account locking or, better, bringing
>       forward the user's password expiration date
>
>  - throttling authentication for users
>
> Better heuristics to me means: a) looking for high rates of failed
> pre-authentication from one or a small number of clients regardless of
> the actual user principal, b) looking for out of the ordinary
> pre-authentication activity based on historical data (i.e., more than
> 1.5 or 2 standard deviations from the average for the given time of
> the day), c) more pre-authentication activity (across all KDCs for the
> given realm) for one user from one client than can be expected given a
> user typoing their password N times in a row.
>
> Can we get this?  from third party OTP servers?  Well, it'd not hurt
> to ask the vendors in question... but the answer is probably "no".
>

We can ask vendors for anything, they just would not do it.
IMO it is a dead end. This is why I generally like the idea of the
affinity though I see the challenges there too.

> Nico
> --
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





More information about the krbdev mailing list