Yu, Ming wrote:
> Russ,
>
> Thanks for the help.
>
> That is th info I am looking for.


But using PAM to lockout a user, is per machine.
If you are trying to avoid password guesses, the user could
try another machine, and get another N guesses. Better then
nothing, but maybe not what you really want.

As Russ points out below, maybe some intrusion detection system
might also be in order, with PAM notifying the IDS.

>
> Ming
>
> ----- Original Message -----
> From: kerberos-bounces@mit.edu
> To: kerberos@mit.edu
> Sent: Mon Dec 10 20:45:49 2007
> Subject: Re: Account lockout support in Solaris 10 when authenticating againstKerberos
>
> "Yu, Ming" writes:
>
>> But I am still not clear how to "lock out" account after n-times of
>> failed login.
>>
>> Are you saying there is no way to do it in current version of MIT
>> kerberos?

>
> Right, there's no way to do it at a Kerberos level. There are various
> things that you can do within the service that's authenticating, but it
> may require development on your part. (For example, if you're
> authenticating the user via PAM, you could store the PAM failure count
> somewhere and reject logins to that user once the failures reach a
> particular threshold, something you could do without modifying anything
> about how Kerberos works.)
>
> Converting a failed authentication compromise into a denial of service
> attack is generally a stupid idea, IMO. Far better to start rejecting
> packets from a host that's apparently trying to do a dictionary attack.
>


--

Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444