I used to have KA's preauthentication with the responding ability of locking out pricipales that got more than 10 unsuccessful attempts of authentication (usually for 36 hour). This way I prevent some sort of attacks. Also I can sort out the user which stores their password (against rule) within a client (I get them after password change when the client tries to use the old password). I've been looking for that facilitie in heimdal w/o any success. The only thing I found is this kadmin get_entry <principal> ...... Kvno: 6 Mkvno: 0 Last successful login: never Last failed login: never Failed login count: 0 Last modified: 2005-06-03 23:48:32 UTC ..... Have I been missing something or is it just not there? If it isn't there jet, is it planed to introduce such a function? Yours sincerely Mathias Feiler |
On Tue, 7 Jun 2005, Mathias Feiler wrote:
> > I used to have KA's preauthentication with the responding ability > of locking out pricipales that got more than 10 unsuccessful > attempts of authentication (usually for 36 hour). > This way I prevent some sort of attacks. Also I can sort out the > user which stores their password (against rule) within a client > (I get them after password change when the client tries to use > the old password). > > I've been looking for that facilitie in heimdal w/o any success. > The only thing I found is this > kadmin get_entry <principal> > ...... > > Kvno: 6 > Mkvno: 0 > Last successful login: never > Last failed login: never > Failed login count: 0 > Last modified: 2005-06-03 23:48:32 UTC > ..... > > Have I been missing something or is it just not there? You didn't miss anything. It's really not there ... > If it isn't there jet, is it planed to introduce such a function? Well, years ago, I asked the same question. That time I was told that the current database model does not support account locking (but Love and Johan will probably know better...). All I can say is that you can live without it. People offending against the password policy can be trapped by observing log files, too. Greetings Andreas -- | Andreas Haupt | E-Mail: [hidden email] | DESY Zeuthen | WWW: http://www.desy.de/~ahaupt | Platanenallee 6 | Phone: +49/33762/7-7359 | D-15738 Zeuthen | Fax: +49/33762/7-7216 |
>Well, years ago, I asked the same question. That time I was told that the >current database model does not support account locking (but Love and >Johan will probably know better...). For our XAD identity server, which supports account locking, we added an auditing code path to the Heimdal KDC. I mentioned it to Love some time ago, I'm happy to commit it once approved. -- Luke -- |
On Wed, 2005-06-08 at 23:12 +1000, Luke Howard wrote:
> >Well, years ago, I asked the same question. That time I was told that the > >current database model does not support account locking (but Love and > >Johan will probably know better...). > > For our XAD identity server, which supports account locking, we added > an auditing code path to the Heimdal KDC. I mentioned it to Love some > time ago, I'm happy to commit it once approved. As you might imagine, I'm interested in this if you can forward me the patch :-) Thanks, -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net |
In reply to this post by Andreas Haupt
On Wed, 8 Jun 2005, Andreas Haupt wrote:
| |> |> Have I been missing something or is it just not there? | |You didn't miss anything. It's really not there ... | |> If it isn't there jet, is it planed to introduce such a function? | |Well, years ago, I asked the same question. That time I was told that the |current database model does not support account locking (but Love and |Johan will probably know better...). | |All I can say is that you can live without it. I know , years ago we run the ka w/o it too. |People offending against |the password policy can be trapped by observing log files, too. Well thats true in terms of password policy violation even it is not a in time detection. It is less true in terms of half-spied passwords. If one tries to guess the rest of the password it would take (much) more time or it tends to come to victims attention. Also I hate to bother my customers habit On the other hand I know to explore my site to a dos-attack. Maybe all in all You are right. - I'd wish to have it anyway - | |Greetings |Andreas | |-- || Andreas Haupt | E-Mail: [hidden email] || DESY Zeuthen | WWW: http://www.desy.de/~ahaupt || Platanenallee 6 | Phone: +49/33762/7-7359 || D-15738 Zeuthen | Fax: +49/33762/7-7216 | Fuer Rueckfragen stehe ich Ihnen gerne zur Verfuegung, beforzuge jedoch telefonisdche Kontacktaufnahme ( 3949 oder +49 (0)179 6954907 ). Danke. Hochachtungsvoll und mit freundlichen Gruessen M.Feiler ---- Mit Computerviren verhaelt es sich so, wie mit verschiedenen Geschlechtskrankheiten: Meist HOLT man sie sich wenn man zu leichtsinnig zu ugeschuetzt verkehrt. PGP public key & Homepage : http://www.uni-hohenheim.de/~feiler |
Free forum by Nabble | Edit this page |