> On Apr 18, 2008, at 12:48, John Hascall wrote: > > Note that doing so will turn on a hardcoded! 5-strikes and an > > principal is disabled 'feature' which provides an attacker a > > nice DoS attack vector. We modified our KDC to re-enable > > the principal after a minute. YMMV. > > Feel like contributing a patch?
Here's my copy of kdc/do_as_req.c http://john.public.iastate.edu/public/kerberos/do_as_req.c There are other mods in there, so making a specfic patch is problematic, but this code is in KRBCONF_KDC_RESET_FAILURE ifdef blocks so it shouldn't be hard to find. Because I had to abuse existing variables so as to maintain DB compatibility, there is a quirk that you can't specifically do 'modprinc -allow_tix' without also reseting 'fail_auth_count' to zero. John ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
