[tac_plus] auth fail lock fix or alternatives?
Joe Moore
joe.moore at holidaycompanies.com
Mon Feb 20 17:07:30 UTC 2012
I know some of you consider the account lockout feature to be a denial of service vector, but our security auditor insists that we lock out accounts after (no more than) 5 failed login attempts, and there is no chance of that changing. So I have to do it.
I was happily running tac_plus F4.0.4.19 with the tacacs+-F4.0.4.19.afl.patch on a pair of FreeBSD 7.4 servers for some time.
As soon as I updated one of the servers to FreeBSD 8.x, tac_plus would no longer start. Startup failed with the message: Error: Unrecognised token auth-fail-lock on line 6.
The only way I was able to get tac_plus to start was by commenting out that line. I've tried installing F4.0.4.19 with the patch on fresh installs of FreeBSD 8.2 and Centos 6.2 with the same results. I've had no luck contacting the author of the patch so I'm assuming there won't be updates available for newer versions of tac_plus. Not updating tac_plus is also something the auditor will eventually notice.
Are there any alternatives to the afl patch? Something that delays the login prompt ever increasing amounts after each failed attempt might work too.
I really don't want to tell my boss that Cisco AC$ is our only option...
L ...jgm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20120220/d12e746f/attachment.html>
More information about the tac_plus
mailing list