[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: password policy enforcement

On Tue, 29 Feb 2000, Kurt D. Zeilenga wrote:

	I understand that, I don't want it replicated.  The problem is
when I've got something stored in the directory entry itself that has to
change to support this, then I need the replication.  If you're
suggesting there's a way to do it without modifying the entry, that's what
would make the most sense.

# I would suggest that each count be local to a server and NOT
# replicated.
# This may sound odd, but it actually will minimize abuse.  If
# you don't replicate the count, an attacker can get N*M attempts
# (N tries on M servers).  However, if you replicate, you can
# get much more than this by trying N on M-1 slaves and then
# trying once on master to get another N on M-1 attempts...
# this can be repeated until the master count has been exceeded.
# Kurt

dustin sallings                            The world is watching America,
http://2852210114/~dustin/                 and America is watching TV.