I've been asked if it would be possible for the MIT krb5 KDC not to increment the failed authentication count (and presumably the time) when one of the older passwords was used. I know such behaviour is not documented.
The question arose because the MS Active Directory KDC can do this. Quoting from ... <http://msdn.microsoft.com/en-us/library/cc780271%28v=ws.10%29.aspx> "Password history check (N-2): Before a Windows Server 2003 operating system increments badPwdCount, it checks the invalid password against the password history. If the password is the same as one of the last two entries that are in the password history, badPwdCount is not incremented for both NTLM and the Kerberos protocol. This change to domain controllers should reduce the number of lockouts that occur because of user error." I'm wondering whether the old keys stored in the database are suitable for attempting such a dummy authentication against. Cheers, Kenny. -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos