[PATCH] bad password lock

Andrew Bartlett abartlet at samba.org
Sun Sep 21 10:49:31 GMT 2003 

On Sun, 2003-09-21 at 20:43, Simo Sorce wrote:
> On Sun, 2003-09-21 at 11:05, Andrew Bartlett wrote:
> > On Sun, 2003-09-21 at 18:52, Simo Sorce wrote:
> > > On Fri, 2003-09-19 at 19:10, Jeremy Allison wrote:
> > > > On Fri, Sep 19, 2003 at 11:18:02AM +0200, Aurélien Degrémont wrote:
> > > > 
> > > > > IMHO, it is not a good idea to create a second table to store the 
> > > > > records containing lockout time, if it is what you think...
> > > > 
> > > > Actually it is a very good idea to store the time records
> > > > separately actually, as they are accessed read/write much
> > > > more than any other entry.
> > > 
> > > This should be decided on a passdb backend case.
> > > Ldap users for example want all to be consistent and stored in ldap,
> > > ancd makes no sense to have a separate facility to drive that.
> > > Plus if we want to go on and be finally NT DC compatible we will have to
> > > store these attributes in SAM and all the utilities we have (net,
> > > pdbedit, smbpasswd) will be very pleased to have to deal with a single
> > > facility.
> > 
> > I think we will need both options.  Backends (or even the sam system)
> > should be able to 'switch' between locally-maintained and
> > centrally-maintained attributes.   This is because each and every login
> > will cause a write, and this can get quite expensive in a single-master
> > system.
> 
> I'm not sure such a thing is good. HAving a locally-maintained list,
> means we have systems that may be desynchronized, such that ones accept
> authentication and another refuses it.

Not quite - the way I understand that NT implements this is that the
counter is maintained locally, but the block is maintained globally.  

That means that if a system had a 'bad password lockout' of 3, you could
connect 2*x + 1 times, where x is the number of DCs.

The main point is to keep 2*x +1 < sizeof(dictionary), which really does
make this game too easy for attackers.  (for an online dictionary
attack, the point of this feature).

> If you are concerned with performances, then I think we should
> preferably add an option to disable the feature, for people that does
> not need to use it.

I actually think the compromise is quite workable.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030921/0e617a0b/attachment.bin

More information about the samba-technical mailing list