We've recently run across a problem, and I was wondering how/if other sites
handle it. In AFS 33 there is the new locking feature you can
set up so that after X number of unsuccessful attempts an account is
locked for some time or until an admin unlocks it. This works great
on normal user accounts, but what about the privileged accounts? If you
turn it on, then you subject your cell to denial of service attacks,
(Joe Blow klogs to all your admin accounts with a bogus passwd until
they're all locked and then keeps going to keep them locked) or you
have no max # of attempts and subject the accounts to random "Crack"
type attacks.
It might be nice if klog could log some info on who and from where
a failed klog attempt comes from.
-Tom
------------------------------------------------------------------------
- Thomas J. Orban U S WEST Technologies -
- [EMAIL PROTECTED] 4001 Discovery Drive -
- (303) 541-6620 Boulder, CO 80303 -
------------------------------------------------------------------------
