[Building Sakai] A recent outage caused by Kerberos upgrade.

Lydia Li lydial at stanford.edu
Wed Apr 28 17:27:45 PDT 2010 

Jim Eng wrote:
> Hi Lydia,
>
> I read in an earlier message that the intent of that was to distinguish whether a failed login was due to an incorrect password or an incorrect username. 

The intent of that code is just to check if a user is known to Kerberos 
before logging into to LDAP to look up the user's information in the 
directory.   It is part of Sakai's login process but it is not used to 
authenticate users with a username and real password.  If getUser() 
fails Sakai returns false for the entire authenticate() method.    
getUser() is also used anytime Sakai wants to look up a user 
information, it is not just used during log in.

> Did your IT folks say whether there is a way to query Kerberos in a way that distinguishes those two cases?
>   

 From my testing, if the user name is wrong, it returns
msg = Client not found in Kerberos database (6)

So it's a different message and  error code.


thanks,
Lydia
> Jim
>
>
>
> On Apr 28, 2010, at 6:41 PM, Lydia Li wrote:
>
>   
>> Seth Theriault wrote:
>>     
>>> Lydia Li wrote:
>>>
>>>
>>>       
>>>> I guess we could change this single valued property to
>>>> multi-valued property that includes old and new messages.
>>>>
>>>>         
>>> If you would like to provide a patch for this capability, we
>>> could certainly check into it.
>>>
>>>       
>> Our IT said that these fake attempts to check userKnownKerberos "are basically 
>> indistinguishable from an attack on the KDC.  If we ever implemented account 
>> lockout or other defenses against attempts to crack Kerberos passwords, 
>> either Coursework or possibly the users Coursework is checkout would be locked 
>> out of Kerberos for the repeated failed login". 
>>
>>
>> So they have suggested me to instead log in to our ldap and check the kerberosStatus for a user. 
>> This, however, would be an institution specific implementation. 
>>
>> thanks,
>> Lydia
>>
>>
>>
>>     
>>> Seth
>>>
>>>       
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>
>> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>>
>>
>>     
>
>

More information about the sakai-dev mailing list