[28893] in Kerberos
Re: Account lockout support in Solaris 10 when authenticating
daemon@ATHENA.MIT.EDU (Theodore Tso)
Wed Dec 12 07:07:18 2007
Date: Wed, 12 Dec 2007 07:06:15 -0500
From: Theodore Tso <tytso@mit.edu>
To: Russ Allbery <rra@stanford.edu>
Message-ID: <20071212120615.GB8531@thunk.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <871w9t83f4.fsf@windlord.stanford.edu>
X-SA-Exim-Mail-From: tytso@thunk.org
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Dec 11, 2007 at 10:57:51AM -0800, Russ Allbery wrote:
>
> This is one of those "features" that keeps showing up in commercial
> products because it made it into some management checklist,
Not just any mindless management checklist, but various government
checklists, such as NISPOM ch. 5 (which is a requirement for systems
that contain U.S. government classified information).
So in addition to the traditional reasons why this feature has never
shown up in MIT Kerberos:
* Can actually do more harm than good by creating a trivially
easy attack vector
* Hard to do 100% right in the presence of slave KDC's (which would
now have to keep state and all KDC's would need a mechanism to
propagate said state to all of the other KDC's).
There's one additional twist:
* Many of the sites that need this feature are so paranoid that having a
vendor supply a binary which can NOT be independently audited is
easier to get past the security folks than some open source package
since if source is available, the security people want the whole
darned package to be reviewed before allowing it on the classified
network.
Note that I'm not saying this makes sense; I'm just describing the way
the world works for some interesting subset of Kerberos-using sites.
- Ted
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
