Date: Fri, 13 Nov 1998 12:39:18 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> Cc: oortiz@LCSI.COM, freebsd-security@FreeBSD.ORG Subject: Re: Intruder Lockout Message-ID: <Pine.BSF.3.96.981113123242.15232B-100000@fledge.watson.org> In-Reply-To: <199811131452.GAA15069@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 13 Nov 1998, Cy Schubert - ITSD Open Systems Group wrote: > > I have always found the lockout behavior of some operating systems a > > little upsetting; the opportunity for denying service is quite large, > > especially to the administrator. On the other hand, the excluding the > > administrator from lockout behavior of NT doesn't seem desirable quite > > right either :). Besides which, suppose someone enters the wrong password > > in the POP or IMAP mail reader -- it may retry the connection several > > times (if set to check mail often) before the user notices, and lockout > > can occur quickly in that kind of situation. > > > > Probably the best solution is to enforce better passwords, or use of > > PK-based authentication. Or one-time passwords. > > How about Kerberos? FreeBSD comes with Kerberos IV and there is a > Kerberos V port in the ports collection. I suppose an alternative to account lockout is to have an authentication scheme where keyspace search is infeasible :). I'm not so impressed with Kerberos since the DES key cracker was announced :). However, it's certainly better than nothing. I use Kerberos on my machines for this reason, and it certainly makes administration easier. Coda also supports kerberos (with my patches, available for download from andrew2.andrew.cmu.edu/dist). I've been thinking of patching the KerberosIV distribution with FreeBSD to use Blowfish from SSLeay instead of DES for local use -- would screw interoperability, but would be a lot more secure, I suspect. And Kerberos is the preferred authentication method for CMU's Cyrus mail server (which I use for my mail server). I don't think kerberos really addresses the lockout issue, as most people just use it as a centralized key management tool (which is what it was designed to be, really :). Any attempt to search passwords by repeated login attempts would still work, although there is now a centralized server where this could be monitored and possibly restricted. (i.e., if there are lots and lots of failed ticket requests, you could limit the rate at the kerberos server). Because users of kerberos use their password as the key to retrieve authenticators/tickets, it is as weak (for each principal) as the password used as the key. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981113123242.15232B-100000>