[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Locking of principales due to unsuccessfull attempts

On Tue, 7 Jun 2005, Mathias Feiler wrote:

> I used to have KA's preauthentication with the responding ability
> of locking out pricipales that got more than 10 unsuccessful
> attempts of authentication (usually for 36 hour).
> This way I prevent some sort of attacks. Also I can sort out the
> user which stores their password (against rule)  within a client
> (I get them after password change when the client tries to use
> the old password).
> I've been looking for that facilitie in heimdal w/o any success.
> The only thing I found is this
> 	kadmin get_entry <principal>
> 	......
> 	                 Kvno: 6
> 	                Mkvno: 0
> 	Last successful login: never
> 	    Last failed login: never
> 	   Failed login count: 0
> 	        Last modified: 2005-06-03 23:48:32 UTC
>  	.....
> Have I been missing something  or is  it just not there?

You didn't miss anything. It's really not there ...

> If it isn't there jet, is it planed to introduce such a function?

Well, years ago, I asked the same question. That time I was told that the 
current database model does not support account locking (but Love and 
Johan will probably know better...).

All I can say is that you can live without it. People offending against 
the password policy can be trapped by observing log files, too.


| Andreas Haupt                      | E-Mail:  andreas.haupt@desy.de
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216