Authentication Policies
Different realms may desire different authentication policies. For instance, realms may be configured to use moderately strong or very strong password encryption, depending on their security needs. Realms also have control over what actions to take when a user's account is apparently under attack. These actions are known as authentication policies. When the authentication DBM receives an authentication command, it compares the password hash sent from authcnetd with the hash stored for the user in that realm. If they don't match, the DBM sends a NAK. The DBM keeps internal counters for each user on a per-realm basis. The counters are:
- cumulative good authentication attempts
- cumulative bad authentication attempts
- bad authentication attempts since the last good one (i.e., consecutive bad attempts)
The cumulative counters record good and bad attempts since the last time the counter was reset by a realm administrator. They are kept for statistical purposes--a realm might want to examine them periodically to try to detect methodical, slow dictionary attacks. By contrast, the consecutive bad attempts counter may be used to trigger one of the following four policies:
- NONE. The DBM takes no action other than incrementing the good and bad counters. This is the default policy.
- LOG. The DBM logs a security alert. The log file might be inspected by an external process that takes some arbitrary action upon finding the security alerts (e.g., sending mail to a realm administrator).
- FREEZE. When an account is frozen, the DBM returns a NAK even if the password hash matched. The only way to thaw it is for a realm administrator to reset the bad attempts counter to something less than the realm's chosen maximum bad attempts. In other words, human intervention is required.
- TEMP FREEZE. The TEMPFREEZE policy acts as the FREEZE policy. However, once BADAUTH_BACKON seconds have passed, the account may be thawed if the password hash matches.
Authentication Throttle
By connecting to multiple network daemons, an attacker could make many authentication guesses per second (a dictionary attack).
An authentication delay gives realms some control over the rate at which an attacker can make attempts. The delay is given
in milliseconds, and added to the time it takes to answer an authentication request. For instance, if the delay is "100",
then a 1/10 second delay is added to each ACK or NAK in response to authentication requests for that realm. i.e., no more than
10 tries per second would be possible per authcnetd connection. If the delay were 500, a 1/2 second delay would be added, and
no more than two tries per second per authcnetd connection would be possible. Each realm should adjust this parameter to
their security needs.
The maximum consecutive bad attempts counter, the four policies, and the authentication throttle are specified in the
realm configuration file.