On 13-07-26 10:13 AM, Trenton D. Adams wrote:
On 13-07-25 02:48 PM, Andrew Morgan wrote:
On Thu, 25 Jul 2013, Trenton D. Adams wrote:
Hmm, it doesn't seem reasonable for an authentication system to not be
throttled. Any ideas on why it's not on by default? I know it was
for CAS 2.
Can we get it enabled by default going forward?
Our CAS system uses our LDAP service to handle authentication, and our
LDAP service already has a password policy with handles lockout after X
number of failed authentication attempts. Additionaly, we have
different password policies for different categories of users ("higher"
security accounts allow fewer failed authentication attempts).
How does your LDAP support this feature? Is it based on account? if
so, that seems rather inferior to IP based throttling. If for some
reason I was able to gain access to all of the LDAP ids (temporarily
maybe, not as unlikely as one might think) I could use a dictionary
attack, and attempt the same password on every account. That wouldn't
trigger an account based lock out.
Sorry, I've always had attention problems. You already stated it was
based on account. But, that does seem rather inferior to IP based
blocking, don't you think? I remember CAS 2 being something like 100
repeated attempts in quick succession was deemed as an attack, and that
IP was blocked.
And, if LDAP does IP based throttling, that wouldn't work too well with
CAS, as it would block everyone.
We don't really want CAS to handle the lockout/throttling for us, so I
would prefer it wasn't enabled by default. However, it isn't too
difficult to overlay our own configuration with Maven, so we can remove
it if the defaults do change.
Thanks,
Andy
--
Trenton D. Adams
Senior Systems Analyst/Web Software Developer
Navy Penguins at your service!
Athabasca University
(780) 675-6195
:wq!
--
This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
---
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
