[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pplolicy lockout grace time? - alternatives



Chris Jacobs wrote:
Chris Jacobs wrote:
First of all, password lockout itself is a dumb idea, and we only
implement it because it's part of the original ppolicy spec. The
ppolicy spec is pathetically bad though.

What methods aren't dumb ideas that accomplish account unavailability on
N password failures?

Look at a later rev of the spec - use increasing delays. It's the standard
approach used by Unix for 40-some years.

Is that implementable in OpenLDAP or is this on a per client basis? If
client, for all practical purposes that's not exactly 'doable', forcing us
back to the auth source - OpenLDAP. Think of configuring pfSense, F5 BigIP,
httpd, pam, etc. Some certainly are configurable for that, but the how at
first google search pass seems to be wide and varied.

Think. Clearly it must be implemented in the LDAP server, since actual attackers will not use delays in their attack code.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/