Locking of principales due to unsuccessfull attempts

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Locking of principales due to unsuccessfull attempts

Mathias Feiler

I used to have KA's preauthentication with the responding ability
of locking out pricipales that got more than 10 unsuccessful
attempts of authentication (usually for 36 hour).
This way I prevent some sort of attacks. Also I can sort out the
user which stores their password (against rule)  within a client
(I get them after password change when the client tries to use
the old password).

I've been looking for that facilitie in heimdal w/o any success.
The only thing I found is this
        kadmin get_entry <principal>
        ......

                         Kvno: 6
                        Mkvno: 0
        Last successful login: never
            Last failed login: never
           Failed login count: 0
                Last modified: 2005-06-03 23:48:32 UTC
  .....

Have I been missing something  or is  it just not there?

If it isn't there jet, is it planed to introduce such a function?


Yours sincerely   Mathias Feiler


Reply | Threaded
Open this post in threaded view
|

Re: Locking of principales due to unsuccessfull attempts

Andreas Haupt
On Tue, 7 Jun 2005, Mathias Feiler wrote:

>
> I used to have KA's preauthentication with the responding ability
> of locking out pricipales that got more than 10 unsuccessful
> attempts of authentication (usually for 36 hour).
> This way I prevent some sort of attacks. Also I can sort out the
> user which stores their password (against rule)  within a client
> (I get them after password change when the client tries to use
> the old password).
>
> I've been looking for that facilitie in heimdal w/o any success.
> The only thing I found is this
> kadmin get_entry <principal>
> ......
>
>                 Kvno: 6
>                Mkvno: 0
> Last successful login: never
>    Last failed login: never
>   Failed login count: 0
>        Last modified: 2005-06-03 23:48:32 UTC
>   .....
>
> Have I been missing something  or is  it just not there?

You didn't miss anything. It's really not there ...

> If it isn't there jet, is it planed to introduce such a function?

Well, years ago, I asked the same question. That time I was told that the
current database model does not support account locking (but Love and
Johan will probably know better...).

All I can say is that you can live without it. People offending against
the password policy can be trapped by observing log files, too.

Greetings
Andreas

--
| Andreas Haupt                      | E-Mail:  [hidden email]
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216
Reply | Threaded
Open this post in threaded view
|

Re: Locking of principales due to unsuccessfull attempts

Luke Howard

>Well, years ago, I asked the same question. That time I was told that the
>current database model does not support account locking (but Love and
>Johan will probably know better...).

For our XAD identity server, which supports account locking, we added
an auditing code path to the Heimdal KDC. I mentioned it to Love some
time ago, I'm happy to commit it once approved.

-- Luke

--
Reply | Threaded
Open this post in threaded view
|

Re: Locking of principales due to unsuccessfull attempts

Andrew Bartlett
On Wed, 2005-06-08 at 23:12 +1000, Luke Howard wrote:
> >Well, years ago, I asked the same question. That time I was told that the
> >current database model does not support account locking (but Love and
> >Johan will probably know better...).
>
> For our XAD identity server, which supports account locking, we added
> an auditing code path to the Heimdal KDC. I mentioned it to Love some
> time ago, I'm happy to commit it once approved.

As you might imagine, I'm interested in this if you can forward me the
patch :-)

Thanks,

--
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Locking of principales due to unsuccessfull attempts

Mathias Feiler
In reply to this post by Andreas Haupt
On Wed, 8 Jun 2005, Andreas Haupt wrote:
|
|>
|> Have I been missing something  or is  it just not there?
|
|You didn't miss anything. It's really not there ...
|
|> If it isn't there jet, is it planed to introduce such a function?
|
|Well, years ago, I asked the same question. That time I was told that the
|current database model does not support account locking (but Love and
|Johan will probably know better...).
|
|All I can say is that you can live without it.
I know , years ago we run the ka w/o it too.

|People offending against
|the password policy can be trapped by observing log files, too.

Well thats true in terms of password policy violation even it is not a in
time detection.

It is less true in terms of half-spied passwords.
If one tries to guess the rest of the password it would take
(much) more time or it tends to come to victims  attention.

Also I hate to bother my customers habit

On the other hand I know to explore my site to a dos-attack.


Maybe all in all You are right. - I'd wish to have it anyway -


|
|Greetings
|Andreas
|
|--
|| Andreas Haupt                      | E-Mail:  [hidden email]
||  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
||  Platanenallee 6                   | Phone:   +49/33762/7-7359
||  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216
|


Fuer Rueckfragen stehe ich Ihnen gerne zur Verfuegung, beforzuge jedoch
telefonisdche Kontacktaufnahme ( 3949 oder +49 (0)179 6954907 ). Danke.


Hochachtungsvoll und mit freundlichen Gruessen   M.Feiler


----
  Mit Computerviren verhaelt es sich so, wie mit verschiedenen
  Geschlechtskrankheiten:  Meist HOLT man sie sich wenn man
  zu leichtsinnig zu ugeschuetzt  verkehrt.

PGP public key &  Homepage   :  http://www.uni-hohenheim.de/~feiler