[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Unfinished business: password policy and VLV



One other point that I almost forgot - the whole issue of intruder detection is still rather fragile. E.g., if an attacker is running a stream of guesses against a user while the real user logs in, then the successful login will erase the current pwdFailureTime state and so allow the attacker a few more chances unimpeded.

I suppose this is only a small problem in general. My first response to this is that password failures should only be tracked ephemerally, within a particular DSA. I would also say they should be tracked by client IP address, but these days attacks by botnets makes the value of that approach less clear. It's also less effective in an environment using a cluster of load balanced DSAs. But I think it still makes more sense to track failures within a single DSA than to deal with replication of that state.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext