Hello community
We have implemented Kerberos NAS on zOS on our two TEST lpars. We can configure each user acid to use Kerberos by adding a KERB segment. There is a field name KERBVIO on base segment of each user acid. But it has non display attr. What if I remove this non display attr. from this base segment, could we see the number of violations by this way? Is that a security bug to change this attr as display? Also is that possible to change the segment of this field name? I think it would better to see this keyword or fdtname on the KERB segment instead of base segment of the user acids. This fieldname is related with the user's TSS password violation directly.
Each time a user acid has a password violation while he tries to authenticate via a Kerberos ticket, this KERBVIO value is incremented and after a certain number of pass violation the user is suspended. I think this prevents a user enumaration attack. If anyone has a knowledge of Kerberos on zOS I will ask some other questions :)
Thanks..