[28877] in Kerberos
Re: Account lockout support in Solaris 10 when
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Tue Dec 11 09:35:59 2007
Message-ID: <475EA01B.7090303@anl.gov>
Date: Tue, 11 Dec 2007 08:35:07 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: "Yu, Ming" <Ming.Yu@ipc.com>
In-Reply-To: <1D6EDDB3E43F3B40BC089CCFEE99DB7D03DE2C1A@exnanycmbx1.corp.root.ipc.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Yu, Ming wrote:
> Russ,
>
> Thanks for the help.
>
> That is th info I am looking for.
But using PAM to lockout a user, is per machine.
If you are trying to avoid password guesses, the user could
try another machine, and get another N guesses. Better then
nothing, but maybe not what you really want.
As Russ points out below, maybe some intrusion detection system
might also be in order, with PAM notifying the IDS.
>
> Ming
>
> ----- Original Message -----
> From: kerberos-bounces@mit.edu <kerberos-bounces@mit.edu>
> To: kerberos@mit.edu <kerberos@mit.edu>
> Sent: Mon Dec 10 20:45:49 2007
> Subject: Re: Account lockout support in Solaris 10 when authenticating againstKerberos
>
> "Yu, Ming" <Ming.Yu@ipc.com> writes:
>
>> But I am still not clear how to "lock out" account after n-times of
>> failed login.
>>
>> Are you saying there is no way to do it in current version of MIT
>> kerberos?
>
> Right, there's no way to do it at a Kerberos level. There are various
> things that you can do within the service that's authenticating, but it
> may require development on your part. (For example, if you're
> authenticating the user via PAM, you could store the PAM failure count
> somewhere and reject logins to that user once the failures reach a
> particular threshold, something you could do without modifying anything
> about how Kerberos works.)
>
> Converting a failed authentication compromise into a denial of service
> attack is generally a stupid idea, IMO. Far better to start rejecting
> packets from a host that's apparently trying to do a dictionary attack.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
