[29695] in Kerberos
Re: Last Successful Login always equals "never"
daemon@ATHENA.MIT.EDU (John Hascall)
Fri Apr 18 15:25:11 2008
To: Ken Raeburn <raeburn@mit.edu>
In-reply-to: Your message of Fri, 18 Apr 2008 14:22:03 -0400.
<E42AAD7F-653B-474D-81D5-907DE4859DD2@mit.edu>
Date: Fri, 18 Apr 2008 14:24:11 CDT
Message-ID: <3026.1208546651@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
Cc: Kerberos mailing list <kerberos@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> On Apr 18, 2008, at 12:48, John Hascall wrote:
> > Note that doing so will turn on a hardcoded! 5-strikes and an
> > principal is disabled 'feature' which provides an attacker a
> > nice DoS attack vector. We modified our KDC to re-enable
> > the principal after a minute. YMMV.
>
> Feel like contributing a patch?
>
> I don't think we can just make the functionality change without
> discussion, but if it's configurable, or the compiled-in default
> interval is something so unreasonably large as to approximate the
> existing behavior (unless one makes what could be a very small change
> to the source), the functionality change shouldn't be much of an
> issue. Especially if it continues not to be compiled in by default.
> Which is also something we could consider changing, especially with a
> patch that leaves the default behavior as is -- no recording, database
> open read-only -- in case anyone is thinking of contributing such a
> thing....
I can certainly make my diffs available, BUT it is not
possible to do this right without major changes because
the right way to do it would be in the POLICY, but unlike
the principal DB (tl_data) there is no extension method
for the policy db :(
That is:
mod_policy -strikes 5 -reenable "5m" == good
#ifdef KRBCONF_KDC_RESET_FAILURE == kinda ickey
... code blobs which abuse client.fail_auth_count ...
#endif
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
