Yu, Ming wrote:
> Hi! Guys,
>
>
>
> We are trying to authenticate users against Kerberos on
> Solaris 10.
>
>
>
> I found that MIT Kerberos does not support account
> lockout and/or inactive account lockout features.
>
>
>
> Does anybody know how to implement account lockout
> features on Solaris 10 when the user authenticates against Kerberos?
>
>


See "man shadow". /etc/passwd, NIS or LDAP can have *LK* to indicate
it is locked. I think it is the pam_unix_account that checks for this.
For a Kerberos account without a local password use something like NP
for the password.


>
> Since without account lockout support, it would be an
> acceptable security risk for our customers.
>
>
>
> Thanks,
>
>
>
> Ming
>
>
>
>
>
>
>
>
>
>
>
> DISCLAIMER:
> Important Notice *************************************************
> This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unintended recipients are prohibited from taking action on the basis of information in this e-mail.E-mail messages may contain computer viruses or other defects, may not be accurately replicated on other systems, or may be intercepted, deleted or interfered with without the knowledge of the sender or the intended recipient. If you are not comfortable with the risks associated with e-mail messages, you may decide not to use e-mail to communicate with IPC. IPC reserves the right, to the extent and under circumstances permitted by applicable law, to retain, monitor and intercept e-mail messages to and from its systems.
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>


--

Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444