[28879] in Kerberos
Re: Account lockout support in Solaris 10 when authenticating
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Tue Dec 11 09:55:56 2007
Date: Tue, 11 Dec 2007 08:55:09 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Message-ID: <20071211145509.GM11013@Sun.COM>
Mail-Followup-To: "Douglas E. Engert" <deengert@anl.gov>,
"Yu, Ming" <Ming.Yu@ipc.com>, kerberos@mit.edu
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <475EA01B.7090303@anl.gov>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Dec 11, 2007 at 08:35:07AM -0600, Douglas E. Engert wrote:
> But using PAM to lockout a user, is per machine.
> If you are trying to avoid password guesses, the user could
> try another machine, and get another N guesses. Better then
> nothing, but maybe not what you really want.
>
> As Russ points out below, maybe some intrusion detection system
> might also be in order, with PAM notifying the IDS.
Then compromised clients can DoS your whole domain. But then, if you're
implementing an N-strikes-you're-locked policy then they could anyways
(which is why account lockout after N failed logins is a bad idea,
particularly if you don't unlock the account automatically after a short
period of time).
Slowing down folks who are trying to guess passwords is a good thing.
Letting them lock out all your user accounts is not. The folks in
charge of writing corporate security policies need to take this into
account. N-strikes-you're-locked is bad. N-strikes-we-slow-you-down is
good.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
