Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 13 Nov 1998 13:22:47 -0500 (EST)
From:      Robert Watson <robert@cyrus.watson.org>
To:        Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc:        Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>, oortiz@LCSI.COM, freebsd-security@FreeBSD.ORG
Subject:   Re: Intruder Lockout 
Message-ID:  <Pine.BSF.3.96.981113131834.15504A-100000@fledge.watson.org>
In-Reply-To: <199811131759.MAA22375@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 13 Nov 1998, Garrett Wollman wrote:

> <<On Fri, 13 Nov 1998 12:39:18 -0500 (EST), Robert Watson <robert@cyrus.watson.org> said:
> 
> > designed to be, really :).  Any attempt to search passwords by repeated
> > login attempts would still work, although there is now a centralized
> 
> Not in Kerberos v5.  Krb5 supports pre-authentication for TGT
> requests, such that in order to get a TGT you must already prove
> cryptographically that you know the password.  That and replay
> protection are the two principal advances of v5 over v4.  (Oh, it also
> allows parametric selection of crypto algorithms.)

I am referring to situations where users attempt to log in without using
an authenticator -- that is, they telnet to a machine or sit at the
console, etc, and attempt to provide a username and password.  Because
this is supported in most kerberos environments (as opposed to requiring
all connections to use kerberized stuff), a key search is still feasible
pretty much as it is without kerberos.   So a lockout would still be
useful to prevent a large volume of attempts against a particular
principal's key.  And it could be coordinated at the KDC instead of at the
individual host level.  On the other hand, in your average kerberos
environment, there are some keys that are used a whole lot just by virtue
of their nature (such as the imap key for your imap server :).


  Robert N Watson 

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/
robert@fledge.watson.org              http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981113131834.15504A-100000>