[29694] in Kerberos
Re: Last Successful Login always equals "never"
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Fri Apr 18 14:22:40 2008
From: Ken Raeburn <raeburn@mit.edu>
To: John Hascall <john@iastate.edu>
In-Reply-To: <2807.1208537319@malison.ait.iastate.edu>
Message-Id: <E42AAD7F-653B-474D-81D5-907DE4859DD2@mit.edu>
Mime-Version: 1.0 (Apple Message framework v919.2)
Date: Fri, 18 Apr 2008 14:22:03 -0400
Cc: Kerberos mailing list <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Apr 18, 2008, at 12:48, John Hascall wrote:
> In the past, some MIT folks have made dire statements about how
> this code is untested and unsafe and blah blah blah,
Sounds familiar. :-)
> Note that doing so will turn on a hardcoded! 5-strikes and an
> principal is disabled 'feature' which provides an attacker a
> nice DoS attack vector. We modified our KDC to re-enable
> the principal after a minute. YMMV.
Feel like contributing a patch?
I don't think we can just make the functionality change without
discussion, but if it's configurable, or the compiled-in default
interval is something so unreasonably large as to approximate the
existing behavior (unless one makes what could be a very small change
to the source), the functionality change shouldn't be much of an
issue. Especially if it continues not to be compiled in by default.
Which is also something we could consider changing, especially with a
patch that leaves the default behavior as is -- no recording, database
open read-only -- in case anyone is thinking of contributing such a
thing....
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
