[17446] in Kerberos_V5_Development


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Lock a user after X unsuccessful attempts

daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Dec 17 13:28:56 2011

Message-ID: <4EECDF64.7030209@mit.edu>
Date: Sat, 17 Dec 2011 13:28:52 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: remi.ferrand@cc.in2p3.fr
In-Reply-To: <4EEBC7DB.10501@cc.in2p3.fr>
Cc: Kerberos-Dev List <krbdev@mit.edu>, Kerberos List <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On 12/16/2011 05:36 PM, Remi Ferrand wrote:
> I'm would like to lock my users accounts for a predefined amount of time
> (e.g 30 minutes) after they made X unsuccessful identification attempts,
> as it was possible with the KAS server of OpenAFS
> (http://docs.openafs.org/AdminGuide/ch13s06.html)

If your KDC is MIT krb5 1.8 or higher, you can use the built-in account
lockout support.  See the kadmin man page where it documents the
-maxfailure, -failurecountinterval, and -lockoutduration policy parameters.

Note that account lockout support only works for principals which
require preauthentication.
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[17446] in Kerberos_V5_Development

Re: Lock a user after X unsuccessful attempts

daemon@ATHENA.MIT.EDU (Greg Hudson)Sat Dec 17 13:28:56 2011

daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Dec 17 13:28:56 2011