principal lockout feature - Kerberos

This is a discussion on principal lockout feature - Kerberos ; Hi, Can anybody please guide me how to enable the principal lockout feature in MIT kerberos. Thnx n regards Prashant * ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos...

+ Reply to Thread
Results 1 to 2 of 2

Thread: principal lockout feature

  1. principal lockout feature

    Hi,

    Can anybody please guide me how to enable the principal lockout feature in MIT kerberos.

    Thnx n regards
    Prashant *
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: principal lockout feature

    prashant sodhiya wrote:
    > Hi,
    >
    > Can anybody please guide me how to enable the principal lockout feature in MIT kerberos.
    >
    > Thnx n regards
    > Prashant


    The principal lockout feature is not supported in MIT Kerberos.
    One reason is because it doesn't behave the way that most people
    want it to. What administrators want is a lockout feature that
    tracks the number of login attempts performed by an end user.
    However, when using Kerberos to login the client may perform
    more than one Kerberos protocol operations as part of the attempt
    to login the user. If the lockout is set at 3, then three failed
    protocol operations will cause a lockout, not three login attempts.

    Another problem is caused by the master-slave model of the MIT KDCs.
    Each KDC has its own lockout count that is not shared with the other
    KDCs. This means that if the client is locked out of one KDC it may
    still be able to login by contacting an alternative one.

    The best that you can do with the lockout feature is set an upper
    bound on the number of protocol operations. To allow three login
    attempts to be performed the lockout count would need to be at least
    nine. If you have five KDCs, this would result in an upper bound
    of 45 protocol operations before total lockout occurred.

    Jeffrey Altman

+ Reply to Thread