directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Berin Loritsch <>
Subject Re: I'd like to start helping out here
Date Tue, 23 Nov 2004 21:08:59 GMT
Enrique Rodriguez wrote:

> Berin Loritsch wrote:
>> The immediate need that I would have for this system is to deny 
>> access or allow access from specific addresses.
> Great idea.  I would like to request that ProtocolProviders have a way 
> to notify the SEDA frontend that a Client is problematic.  There are 
> at least two scenarios in the Kerberos and Changepw protocols where 
> the Kerberos services may detect this.
> 1)  Replay attacks, where the Authenticator is compared against a 
> replay cache.
> 2)  ClientAddresses, where Kerberos credentials are issued for use 
> from specific IP address(es).
> Detection of both of these scenarios should be encapsulated in the 
> Kerberos ProtocolProvider, but with denial performed as close to the 
> wire as possible.
> Additionally, Kerberos admins should be able to clear denied Clients 
> via management interface, so there should be a way to notify of a 
> cleared address, too.  This usually happens due to misconfigured clients.
I personally would start with a windowed blackout time.  For example, 
when something is
exposed to the big internet (like HTTPD), there is always some idiot who 
wants to break your
system.  Now it is not all 200 users behind the same gateway that is the 
problem, but one.  If you deny access from the IP address it would be 
reasonable to deny access for a period of say 20 minutes and then start 
allowing again.

However, the concept is similar.  Something is blocked out until 
something else clears it.

Once the facility is made, the question then comes how to wire things so 
that the accept/deny block can get the change in information.  If SEDA 
is exposed, or there is a command queue of sorts, then we don't really 
have much to worry about.

I'll start looking into this.


"Programming today is a race between software engineers striving to build bigger and better
idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far,
the Universe is winning."
                - Rich Cook

View raw message