On 12/16/2014 10:31 AM, Kenneth MacDonald wrote: > I've been asked if it would be possible for the MIT krb5 KDC not to > increment the failed authentication count (and presumably the time) when > one of the older passwords was used. I know such behaviour is not > documented. [...] > I'm wondering whether the old keys stored in the database are suitable > for attempting such a dummy authentication against.
We don't currently implement this. The historical keys are suitable for checking, so nothing really prevents the KDC from doing it. There is an unfortunate complication: for no particularly good reason, historical keys are encrypted in a "history key" (referenced by kadmin/history) instead of in the master key. So the KDC would have to keep around the history key (and refresh it on decryption failure in case the cached copy is stale) in order to get at the historical keys. It's possible that we would decide to transition to encrypting history keys in the master key (http://krbdev.mit.edu/rt/Ticket/Display.html?id=1221) as a prerequisite for implementing this feature upstream. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
