[31769] in Kerberos
Re: account lockout after n failed password attempts
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Dec 12 23:36:36 2009
From: Greg Hudson <ghudson@mit.edu>
To: Steve Glasser <sgla9347@gmail.com>
In-Reply-To: <c789fd70912121253t667745f9s6d1cd4f809622412@mail.gmail.com>
Date: Sat, 12 Dec 2009 23:36:12 -0500
Message-ID: <1260678972.31008.877.camel@ray>
Mime-Version: 1.0
Cc: "Kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sat, 2009-12-12 at 15:53 -0500, Steve Glasser wrote:
> I was wondering if account lockout after n failed password attempts
> was ever successfully implemented with MIT Kerberos?
It has been implemented for 1.8, which is currently scheduled for
release in early March 2010. There is more information at:
http://k5wiki.kerberos.org/wiki/Projects/Lockout
Due to the way the Kerberos protocol works, account lockout can only
work for principals which require pre-authentication.
> I know this was discussed several years ago (see:
> http://mailman.mit.edu/pipermail/kerberos/2007-December/012705.html).
> I haven't seen any responses more current than that. It looks like
> an inherent design problem because with multiple kdc servers there is
> no way to keep a centralized count of failed login attempts.
Our implementation does not synchronize lockout state between KDCs. If
you have N slaves KDCs, the attacker will get N times as many attempts
before being locked out on all of them.
> Btw, does anyone know how Microsoft got around this problem (assuming
> they did so), as they do offer account lockout after n failed login
> attempts?
My best understanding is that Microsoft does not synchronize the number
of failed attempts between KDCs, but (unlike our implementation) does
lock a user out on all KDCs if a user triggers the lockout conditions on
one of them. I'm not 100% certain of this, however.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
