RE: Account lockout support in Solaris 10 when authenticatingagainstKerberos

Wed, 12 Dec 2007 04:32:26 -0800 

See my feedback below, prefixed with Tim>

On Tue, Dec 11, 2007 at 10:57:51AM -0800, Russ Allbery wrote:
> 
> This is one of those "features" that keeps showing up in commercial
> products because it made it into some management checklist, 

Not just any mindless management checklist, but various government
checklists, such as NISPOM ch. 5 (which is a requirement for systems
that contain U.S. government classified information).

So in addition to the traditional reasons why this feature has never
shown up in MIT Kerberos:

* Can actually do more harm than good by creating a trivially
  easy attack vector

Tim> Agreed, but we need to recognise that many security departments
want/need this functionality, and if they don't it can always be
disabled ...

* Hard to do 100% right in the presence of slave KDC's (which would
  now have to keep state and all KDC's would need a mechanism to
  propagate said state to all of the other KDC's).

Tim> yes, it is hard, but the CyberSafe TrustBroker Security Server
product has this already implemented, and it works very well. As
somebody mentioned in an earlier post, this functionality is also
implemented in Microsoft Active Directory and works very well when AD is
used as KDC.

There's one additional twist:

* Many of the sites that need this feature are so paranoid that having a
  vendor supply a binary which can NOT be independently audited is
  easier to get past the security folks than some open source package
  since if source is available, the security people want the whole
  darned package to be reviewed before allowing it on the classified
  network.

Tim> This is one reason why we build and support a commercially
available Kerberos product, including client and KDC software. There are
many companies and organisations that prefer to buy our commercially
supported product instead of using open source. Also, the software
license cost is not as high as you might think :-)

Note that I'm not saying this makes sense; I'm just describing the way
the world works for some interesting subset of Kerberos-using sites.

                                                - Ted
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to