Hi! Nicolas,

Thanks for the response and clarificaiton.

But I am still not clear how to "lock out" account after n-times of failed login.

Are you saying there is no way to do it in current version of MIT kerberos?



From: Nicolas Williams [mailto:Nicolas.Williams@sun.com]
Sent: Mon 12/10/2007 6:58 PM
To: Douglas E. Engert
Cc: Yu, Ming; kerberos@mit.edu
Subject: Re: Account lockout support in Solaris 10 when authenticating against Kerberos

On Mon, Dec 10, 2007 at 05:11:21PM -0600, Douglas E. Engert wrote:
> Yu, Ming wrote:
> > Does anybody know how to implement account lockout
> > features on Solaris 10 when the user authenticates against Kerberos?

> See "man shadow". /etc/passwd, NIS or LDAP can have *LK* to indicate
> it is locked. I think it is the pam_unix_account that checks for this.
> For a Kerberos account without a local password use something like NP
> for the password.

Right, but what the poster was asking, effectively, was how to make the
KDC lock out the user after N failed [pre-]authentication attempts.

The answer is that an MIT KDC with plain old db2 backend can't do it.
An MIT KDC with an LDAP backend could do it, but it doesn't yet.

The user should scrape logs on the KDC and lock accounts (principals)


Important Notice *************************************************
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unintended recipients are prohibited from taking action on the basis of information in this e-mail.E-mail messages may contain computer viruses or other defects, may not be accurately replicated on other systems, or may be intercepted, deleted or interfered with without the knowledge of the sender or the intended recipient. If you are not comfortable with the risks associated with e-mail messages, you may decide not to use e-mail to communicate with IPC. IPC reserves the right, to the extent and under circumstances permitted by applicable law, to retain, monitor and intercept e-mail messages to and from its systems.