What could cause these "failed to authenticate" logs other than failed login attempts (OSX)?

Posted by Tom on Server Fault See other posts from Server Fault or by Tom
Published on 2010-03-13T06:01:54Z Indexed on 2012/04/10 23:32 UTC
Read the original article Hit count: 278

Filed under:
|
|

I've found this in the Console logs:

10/03/10 3:53:58 PM    SecurityAgent[156]  User info context values set for tom
10/03/10 3:53:58 PM authorizationhost[154]  Failed to authenticate user  (tDirStatus: -14090).
10/03/10 3:54:00 PM SecurityAgent[156]  User info context values set for tom
10/03/10 3:54:00 PM authorizationhost[154]  Failed to authenticate user  (tDirStatus: -14090).
10/03/10 3:54:03 PM SecurityAgent[156]  User info context values set for tom
10/03/10 3:54:03 PM authorizationhost[154]  Failed to authenticate user  (tDirStatus: -14090).

There are about 11 of these "failed to authenticate" messages logged in quick succession. It looks to me like someone is sitting there trying to guess the password. However, when I tried to replicate this I get the same log messages except that this extra message appears after five attempts:

13/03/10 1:18:48 PM    DirectoryService[11]    Failed Authentication return is being delayed due to over five recent auth failures for username: tom.

I don't want to accuse someone of trying to break into an account without being sure that they were actually trying to break in. My question is this: is it almost definitely someone guessing a password, or could the 11 "failed to authenticate" messages be caused by something else?

EDIT: The actual user wasn't logged in, or using a computer at the time of the log in attempts.

© Server Fault or respective owner

Related posts about security

Related posts about macosx