On Sat, 2009-12-12 at 15:53 -0500, Steve Glasser wrote:
I was wondering if account lockout after n failed password attempts
was ever successfully implemented with MIT Kerberos?
It has been implemented for 1.8, which is currently scheduled for
release in early March 2010. There is more information at:
http://k5wiki.kerberos.org/wiki/Projects/Lockout
Due to the way the Kerberos protocol works, account lockout can only
work for principals which require pre-authentication.
I know this was discussed several years ago (see:
http://mailman.mit.edu/pipermail/kerberos/2007-December/012705.html).
I haven't seen any responses more current than that. It looks like
an inherent design problem because with multiple kdc servers there is
no way to keep a centralized count of failed login attempts.
Our implementation does not synchronize lockout state between KDCs. If
you have N slaves KDCs, the attacker will get N times as many attempts
before being locked out on all of them.
Btw, does anyone know how Microsoft got around this problem (assuming
they did so), as they do offer account lockout after n failed login
attempts?
My best understanding is that Microsoft does not synchronize the number
of failed attempts between KDCs, but (unlike our implementation) does
lock a user out on all KDCs if a user triggers the lockout conditions on
one of them. I'm not 100% certain of this, however.
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
