[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Locking of principales due to unsuccessfull attempts
On Tue, 7 Jun 2005, Mathias Feiler wrote:
>
> I used to have KA's preauthentication with the responding ability
> of locking out pricipales that got more than 10 unsuccessful
> attempts of authentication (usually for 36 hour).
> This way I prevent some sort of attacks. Also I can sort out the
> user which stores their password (against rule) within a client
> (I get them after password change when the client tries to use
> the old password).
>
> I've been looking for that facilitie in heimdal w/o any success.
> The only thing I found is this
> kadmin get_entry <principal>
> ......
>
> Kvno: 6
> Mkvno: 0
> Last successful login: never
> Last failed login: never
> Failed login count: 0
> Last modified: 2005-06-03 23:48:32 UTC
> .....
>
> Have I been missing something or is it just not there?
You didn't miss anything. It's really not there ...
> If it isn't there jet, is it planed to introduce such a function?
Well, years ago, I asked the same question. That time I was told that the
current database model does not support account locking (but Love and
Johan will probably know better...).
All I can say is that you can live without it. People offending against
the password policy can be trapped by observing log files, too.
Greetings
Andreas
--
| Andreas Haupt | E-Mail: andreas.haupt@desy.de
| DESY Zeuthen | WWW: http://www.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7359
| D-15738 Zeuthen | Fax: +49/33762/7-7216