On Sat, 2009-12-12 at 15:53 -0500, Steve Glasser wrote: > I was wondering if account lockout after n failed password attempts > was ever successfully implemented with MIT Kerberos?
It has been implemented for 1.8, which is currently scheduled for release in early March 2010. There is more information at: http://k5wiki.kerberos.org/wiki/Projects/Lockout Due to the way the Kerberos protocol works, account lockout can only work for principals which require pre-authentication. > I know this was discussed several years ago (see: > http://mailman.mit.edu/pipermail/kerberos/2007-December/012705.html). > I haven't seen any responses more current than that. It looks like > an inherent design problem because with multiple kdc servers there is > no way to keep a centralized count of failed login attempts. Our implementation does not synchronize lockout state between KDCs. If you have N slaves KDCs, the attacker will get N times as many attempts before being locked out on all of them. > Btw, does anyone know how Microsoft got around this problem (assuming > they did so), as they do offer account lockout after n failed login > attempts? My best understanding is that Microsoft does not synchronize the number of failed attempts between KDCs, but (unlike our implementation) does lock a user out on all KDCs if a user triggers the lockout conditions on one of them. I'm not 100% certain of this, however. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos