[tac_plus] Re: bad password/ban
Mark Ellzey Thomas
mark.thomas at corp.aol.com
Tue Jun 9 04:18:59 UTC 2009
On Mon, Jun 08, 2009 at 08:12:46PM -0400, john heasley wrote:
> As I mentioned before, my problem with this is that it can be used as a DOS.
> your co-worker could lock you out. right? i have no suggestions of how to
> deal with that problem properly.
Yeah, I totally see where you are coming from. In my mind the risk is a
trade-off. Office antics like locking out your coworkers account would result
in even more evil retaliation at our place of work :)
>From the perspective of a security engineer - it is much better to have a
single user be a little annoyed that their account is locked temporarily
than to have their account compromised due to a brute force.
Still, the concept of temporarily disabling accounts due to excessive
failures is not a new idea. Many authentication systems implement such
mechanisms, and many industry type audits require such features.
It's also a nice failsafe when all of your staff who monitor such
events are home and in bed.
Maybe a more solid approach is to further modify this patch so that you
can optionally disable account based on user/client-addr (as suggested
by others in this thread). The extra space is negligible and probably a
good idea in the long run.
More information about the tac_plus
mailing list