This is a discussion on Re: Account lockout support in Solaris 10 whenauthenticating againstKerberos - Kerberos ; Yu, Ming wrote: > Russ, > > Thanks for the help. > > That is th info I am looking for. But using PAM to lockout a user, is per machine. If you are trying to avoid password guesses, the ...
Yu, Ming wrote:
> Thanks for the help.
> That is th info I am looking for.
But using PAM to lockout a user, is per machine.
If you are trying to avoid password guesses, the user could
try another machine, and get another N guesses. Better then
nothing, but maybe not what you really want.
As Russ points out below, maybe some intrusion detection system
might also be in order, with PAM notifying the IDS.
> ----- Original Message -----
> From: firstname.lastname@example.org
> To: email@example.com
> Sent: Mon Dec 10 20:45:49 2007
> Subject: Re: Account lockout support in Solaris 10 when authenticating againstKerberos
> "Yu, Ming"
>> But I am still not clear how to "lock out" account after n-times of
>> failed login.
>> Are you saying there is no way to do it in current version of MIT
> Right, there's no way to do it at a Kerberos level. There are various
> things that you can do within the service that's authenticating, but it
> may require development on your part. (For example, if you're
> authenticating the user via PAM, you could store the PAM failure count
> somewhere and reject logins to that user once the failures reach a
> particular threshold, something you could do without modifying anything
> about how Kerberos works.)
> Converting a failed authentication compromise into a denial of service
> attack is generally a stupid idea, IMO. Far better to start rejecting
> packets from a host that's apparently trying to do a dictionary attack.
Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439