"Yu, Ming" writes:

> But I am still not clear how to "lock out" account after n-times of
> failed login.
> Are you saying there is no way to do it in current version of MIT
> kerberos?

Right, there's no way to do it at a Kerberos level. There are various
things that you can do within the service that's authenticating, but it
may require development on your part. (For example, if you're
authenticating the user via PAM, you could store the PAM failure count
somewhere and reject logins to that user once the failures reach a
particular threshold, something you could do without modifying anything
about how Kerberos works.)

Converting a failed authentication compromise into a denial of service
attack is generally a stupid idea, IMO. Far better to start rejecting
packets from a host that's apparently trying to do a dictionary attack.

Russ Allbery (rra@stanford.edu)