[11991] in Kerberos-V5-bugs
[krbdev.mit.edu #6910] Account lockout policy parameters not
daemon@ATHENA.MIT.EDU (Shawn Emery via RT)
Tue May 10 15:02:16 2011
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Shawn Emery via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6910@krbdev.mit.edu>
Message-ID: <rt-6910-34043.13.1283137761898@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6910'":;"'AdminCc of krbdev.mit.edu Ticket #6910'":;@MIT.EDU
Date: Tue, 10 May 2011 15:02:01 -0400 (EDT)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Note: The changes below assumes that kadmin's option arguments are fixed
to accept the usualtime formats.
KADMIN(1):
@@ -378,10 +378,16 @@
for setting the key of the principal. The quotes
are necessary if there are multiple
enctype-salttype pairs. This will not function
against kadmin daemons earlier than krb5-1.2.
+ -unlock
+ Unlocks the principal so that it can successfully authenticate.
+ If the principal had previously been locked due to reaching
+ maxfailure in failurecountinterval time then the principal
+ will be locked for lockoutduration time.
+
EXAMPLE:
kadmin: addprinc tlyu/admin
WARNING: no policy specified for "tlyu/admin@BLEEP.COM";
defaulting to no policy.
Enter password for principal tlyu/admin@BLEEP.COM:
@@ -580,10 +586,27 @@
add_policy [options] policy
adds the named policy to the policy database. Requires
the add privilege. Aliased to addpol. The following
options are available:
+ -maxfailure maxnumber
+ sets the maximum number of failures before the principal is
+ locked after authentication failures in failurecountinterval
+ time.
+
+ -failurecountinterval failuretime
+ sets the time after which the authentication failure count is
+ reset 0. See the Time Formats section for the valid time
+ duration formats that you can specify for failuretime.
+
+ -lockoutduration lockouttime
+ sets the time in which the principal is locked from
+ authenticating if maxfailure authentication failures occur
+ within failurecountinterval time. See the Time Formats section
+ for the valid time duration formats that you can specify for
+ lockouttime.
+
-maxlife time
sets the maximum lifetime of a password
-minlife time
sets the minimum lifetime of a password
@@ -651,12 +674,15 @@
Minimum password life: 00:00:00
Minimum password length: 6
Minimum number of password character classes: 2
Number of old keys kept: 5
Reference count: 17
+ Maximum password failures before lockout: 3
+ Password failure count reset interval: 180
+ Password lockout duration: 60
kadmin: get_policy -terse admin
- admin 15552000 0 6 2 5 17
+ admin 15552000 0 6 2 5 17 3
180 60
kadmin:
ERRORS:
KADM5_AUTH_GET (requires the get privilege)
KADM5_UNK_POLICY (policy does not exist)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
