[29696] in Kerberos
Re: Last Successful Login always equals "never"
daemon@ATHENA.MIT.EDU (John Hascall)
Fri Apr 18 15:36:08 2008
To: Ken Raeburn <raeburn@mit.edu>
In-reply-to: Your message of Fri, 18 Apr 2008 14:22:03 -0400.
<E42AAD7F-653B-474D-81D5-907DE4859DD2@mit.edu>
Date: Fri, 18 Apr 2008 14:35:00 CDT
Message-ID: <3060.1208547300@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
Cc: Kerberos mailing list <kerberos@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> On Apr 18, 2008, at 12:48, John Hascall wrote:
> > Note that doing so will turn on a hardcoded! 5-strikes and an
> > principal is disabled 'feature' which provides an attacker a
> > nice DoS attack vector. We modified our KDC to re-enable
> > the principal after a minute. YMMV.
>
> Feel like contributing a patch?
Here's my copy of kdc/do_as_req.c
http://john.public.iastate.edu/public/kerberos/do_as_req.c
There are other mods in there, so making a specfic patch
is problematic, but this code is in KRBCONF_KDC_RESET_FAILURE
ifdef blocks so it shouldn't be hard to find.
Because I had to abuse existing variables so as to maintain
DB compatibility, there is a quirk that you can't specifically
do 'modprinc -allow_tix' without also reseting 'fail_auth_count'
to zero.
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
