[28878] in Kerberos
Re: Account lockout support in Solaris 10 when authenticating against
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Tue Dec 11 09:51:08 2007
Date: Tue, 11 Dec 2007 08:50:18 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: "Yu, Ming" <Ming.Yu@ipc.com>
Message-ID: <20071211145018.GL11013@Sun.COM>
Mail-Followup-To: "Yu, Ming" <Ming.Yu@ipc.com>,
"Douglas E. Engert" <deengert@anl.gov>, kerberos@mit.edu
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1D6EDDB3E43F3B40BC089CCFEE99DB7DF647C5@exnanycmbx1.corp.root.ipc.com>
Cc: kerberos@mit.edu, "Douglas E. Engert" <deengert@anl.gov>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Dec 10, 2007 at 08:32:57PM -0500, Yu, Ming wrote:
> But I am still not clear how to "lock out" account after n-times of
> failed login.
>
> Are you saying there is no way to do it in current version of MIT
> kerberos?
I'm saying that the MIT and Solaris KDCs do not support that feature.
BUT, you can write a script to "scrape" (i.e., tail) the KDC log files,
keep a per-principal count of failed logins, and disable principals with
too many consecutive failed logins.
Doug's comment about /etc/passwd was about how you might lock out an
account that you know you want to lock out, but Doug should really have
told you to either disable the principal[*] or to use the passwd(1)
command with the -l option.
[*] Disabling the principal will cause the account to be locked IF AND
ONLY IF Kerberos V is the only way to authenticate the account
(e.g., because the passwd field of the account is "NP", as Doug
suggests).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
