[Building Sakai] A recent outage caused by Kerberos upgrade.
Jim Eng
jimeng at umich.edu
Wed Apr 28 16:25:43 PDT 2010
Hi Lydia,
I read in an earlier message that the intent of that was to distinguish whether a failed login was due to an incorrect password or an incorrect username. Did your IT folks say whether there is a way to query Kerberos in a way that distinguishes those two cases?
Jim
On Apr 28, 2010, at 6:41 PM, Lydia Li wrote:
> Seth Theriault wrote:
>> Lydia Li wrote:
>>
>>
>>> I guess we could change this single valued property to
>>> multi-valued property that includes old and new messages.
>>>
>>
>> If you would like to provide a patch for this capability, we
>> could certainly check into it.
>>
>
> Our IT said that these fake attempts to check userKnownKerberos "are basically
> indistinguishable from an attack on the KDC. If we ever implemented account
> lockout or other defenses against attempts to crack Kerberos passwords,
> either Coursework or possibly the users Coursework is checkout would be locked
> out of Kerberos for the repeated failed login".
>
>
> So they have suggested me to instead log in to our ldap and check the kerberosStatus for a user.
> This, however, would be an institution specific implementation.
>
> thanks,
> Lydia
>
>
>
>> Seth
>>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>
>
More information about the sakai-dev
mailing list