discussion on implementation of "bad attempt locakout" policy
David Collier-Brown -- Customer Engineering
David.Collier-Brown at Sun.COM
Mon Mar 24 16:34:07 GMT 2003
This has some downsides, you understand: you can
lock someone else out of their account by making a
bunch of attempts to log in as them. Don't want
root tracking your breakin attempts? Lock him out first!
If you do go down this path, consider
a) doing it in a PAM module so the same policy
applies to Samba as to all other logins
b) set a short delay (say, 10 minutes) when
someone tries to log in, not a unilateral
lockout, and notify root by email.
--dave
Jianliang Lu wrote:
> Hi,
> I'm looking at "bad attempt locakout" on samba3.0 a22. My opinion is to
> introduce a new variable "uint32 bad_pw_counts" in the struct user_data of
> SAM_ACCOUNT. so in the auth.c, routine check_ntlm_password(), I can check the
> bad password attemped against the AP_BAD_ATTEMPT_LOCKOUT, if it were more
> than that, I will lock the user.
> I'd like to have your sugestions on this issue, specially to know where I can
> put the count of the bad_pw_counts.
>
>
> Jianliang Lu
> TieSse s.p.a.
> Via Jervis, 60 10015 Ivrea (To) ITALY
> j.lu at tiesse.com
> luj at libero.it
>
--
David Collier-Brown, | Always do right. This will gratify
Sun Microsystems DCMO | some people and astonish the rest.
Toronto, Ontario |
(905) 415-2849 or x52849 | davecb at canada.sun.com
More information about the samba-technical
mailing list