diff options
Diffstat (limited to 'crypto/krb5/doc/html/admin/lockout.html')
| -rw-r--r-- | crypto/krb5/doc/html/admin/lockout.html | 291 |
1 files changed, 0 insertions, 291 deletions
diff --git a/crypto/krb5/doc/html/admin/lockout.html b/crypto/krb5/doc/html/admin/lockout.html deleted file mode 100644 index 3bedd7fb93dd..000000000000 --- a/crypto/krb5/doc/html/admin/lockout.html +++ /dev/null @@ -1,291 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Account lockout — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Configuring Kerberos with OpenLDAP back-end" href="conf_ldap.html" /> - <link rel="prev" title="Database types" href="dbtypes.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="dbtypes.html" title="Database types" - accesskey="P">previous</a> | - <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Account lockout">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="account-lockout"> -<span id="lockout"></span><h1>Account lockout<a class="headerlink" href="#account-lockout" title="Link to this heading">¶</a></h1> -<p>As of release 1.8, the KDC can be configured to lock out principals -after a number of failed authentication attempts within a period of -time. Account lockout can make it more difficult to attack a -principal’s password by brute force, but also makes it easy for an -attacker to deny access to a principal.</p> -<section id="configuring-account-lockout"> -<h2>Configuring account lockout<a class="headerlink" href="#configuring-account-lockout" title="Link to this heading">¶</a></h2> -<p>Account lockout only works for principals with the -<strong>+requires_preauth</strong> flag set. Without this flag, the KDC cannot -know whether or not a client successfully decrypted the ticket it -issued. It is also important to set the <strong>-allow_svr</strong> flag on a -principal to protect its password from an off-line dictionary attack -through a TGS request. You can set these flags on a principal with -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> as follows:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">PRINCNAME</span> -</pre></div> -</div> -<p>Account lockout parameters are configured via <a class="reference internal" href="database.html#policies"><span class="std std-ref">policy objects</span></a>. There may be an existing policy associated with user -principals (such as the “default” policy), or you may need to create a -new one and associate it with each user principal.</p> -<p>The policy parameters related to account lockout are:</p> -<ul class="simple"> -<li><p><a class="reference internal" href="admin_commands/kadmin_local.html#policy-maxfailure"><span class="std std-ref">maxfailure</span></a>: the number of failed attempts -before the principal is locked out</p></li> -<li><p><a class="reference internal" href="admin_commands/kadmin_local.html#policy-failurecountinterval"><span class="std std-ref">failurecountinterval</span></a>: the -allowable interval between failed attempts</p></li> -<li><p><a class="reference internal" href="admin_commands/kadmin_local.html#policy-lockoutduration"><span class="std std-ref">lockoutduration</span></a>: the amount of time -a principal is locked out for</p></li> -</ul> -<p>Here is an example of setting these parameters on a new policy and -associating it with a principal:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addpol</span> <span class="o">-</span><span class="n">maxfailure</span> <span class="mi">10</span> <span class="o">-</span><span class="n">failurecountinterval</span> <span class="mi">180</span> - <span class="o">-</span><span class="n">lockoutduration</span> <span class="mi">60</span> <span class="n">lockout_policy</span> -<span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">policy</span> <span class="n">lockout_policy</span> <span class="n">PRINCNAME</span> -</pre></div> -</div> -</section> -<section id="testing-account-lockout"> -<h2>Testing account lockout<a class="headerlink" href="#testing-account-lockout" title="Link to this heading">¶</a></h2> -<p>To test that account lockout is working, try authenticating as the -principal (hopefully not one that might be in use) multiple times with -the wrong password. For instance, if <strong>maxfailure</strong> is set to 2, you -might see:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kinit user -Password for user@KRBTEST.COM: -kinit: Password incorrect while getting initial credentials -$ kinit user -Password for user@KRBTEST.COM: -kinit: Password incorrect while getting initial credentials -$ kinit user -kinit: Client's credentials have been revoked while getting initial credentials -</pre></div> -</div> -</section> -<section id="account-lockout-principal-state"> -<h2>Account lockout principal state<a class="headerlink" href="#account-lockout-principal-state" title="Link to this heading">¶</a></h2> -<p>A principal entry keeps three pieces of state related to account -lockout:</p> -<ul class="simple"> -<li><p>The time of last successful authentication</p></li> -<li><p>The time of last failed authentication</p></li> -<li><p>A counter of failed attempts</p></li> -</ul> -<p>The time of last successful authentication is not actually needed for -the account lockout system to function, but may be of administrative -interest. These fields can be observed with the <strong>getprinc</strong> kadmin -command. For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">getprinc</span> <span class="n">user</span> -<span class="n">Principal</span><span class="p">:</span> <span class="n">user</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> -<span class="o">...</span> -<span class="n">Last</span> <span class="n">successful</span> <span class="n">authentication</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> -<span class="n">Last</span> <span class="n">failed</span> <span class="n">authentication</span><span class="p">:</span> <span class="n">Mon</span> <span class="n">Dec</span> <span class="mi">03</span> <span class="mi">12</span><span class="p">:</span><span class="mi">30</span><span class="p">:</span><span class="mi">33</span> <span class="n">EST</span> <span class="mi">2012</span> -<span class="n">Failed</span> <span class="n">password</span> <span class="n">attempts</span><span class="p">:</span> <span class="mi">2</span> -<span class="o">...</span> -</pre></div> -</div> -<p>A principal which has been locked out can be administratively unlocked -with the <strong>-unlock</strong> option to the <strong>modprinc</strong> kadmin command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">unlock</span> <span class="n">PRINCNAME</span> -</pre></div> -</div> -<p>This command will reset the number of failed attempts to 0.</p> -</section> -<section id="kdc-replication-and-account-lockout"> -<h2>KDC replication and account lockout<a class="headerlink" href="#kdc-replication-and-account-lockout" title="Link to this heading">¶</a></h2> -<p>The account lockout state of a principal is not replicated by either -traditional <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> or incremental propagation. Because of -this, the number of attempts an attacker can make within a time period -is multiplied by the number of KDCs. For instance, if the -<strong>maxfailure</strong> parameter on a policy is 10 and there are four KDCs in -the environment (a primary and three replicas), an attacker could make -as many as 40 attempts before the principal is locked out on all four -KDCs.</p> -<p>An administrative unlock is propagated from the primary to the replica -KDCs during the next propagation. Propagation of an administrative -unlock will cause the counter of failed attempts on each replica to -reset to 1 on the next failure.</p> -<p>If a KDC environment uses a replication strategy other than kprop or -incremental propagation, such as the LDAP KDB module with multi-master -LDAP replication, then account lockout state may be replicated between -KDCs and the concerns of this section may not apply.</p> -</section> -<section id="kdc-performance-and-account-lockout"> -<span id="disable-lockout"></span><h2>KDC performance and account lockout<a class="headerlink" href="#kdc-performance-and-account-lockout" title="Link to this heading">¶</a></h2> -<p>In order to fully track account lockout state, the KDC must write to -the the database on each successful and failed authentication. -Writing to the database is generally more expensive than reading from -it, so these writes may have a significant impact on KDC performance. -As of release 1.9, it is possible to turn off account lockout state -tracking in order to improve performance, by setting the -<strong>disable_last_success</strong> and <strong>disable_lockout</strong> variables in the -database module subsection of <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span> - <span class="n">DB</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">disable_last_success</span> <span class="o">=</span> <span class="n">true</span> - <span class="n">disable_lockout</span> <span class="o">=</span> <span class="n">true</span> - <span class="p">}</span> -</pre></div> -</div> -<p>Of the two variables, setting <strong>disable_last_success</strong> will usually -have the largest positive impact on performance, and will still allow -account lockout policies to operate. However, it will make it -impossible to observe the last successful authentication time with -kadmin.</p> -</section> -<section id="kdc-setup-and-account-lockout"> -<h2>KDC setup and account lockout<a class="headerlink" href="#kdc-setup-and-account-lockout" title="Link to this heading">¶</a></h2> -<p>To update the account lockout state on principals, the KDC must be -able to write to the principal database. For the DB2 module, no -special setup is required. For the LDAP module, the KDC DN must be -granted write access to the principal objects. If the KDC DN has only -read access, account lockout will not function.</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Account lockout</a><ul> -<li><a class="reference internal" href="#configuring-account-lockout">Configuring account lockout</a></li> -<li><a class="reference internal" href="#testing-account-lockout">Testing account lockout</a></li> -<li><a class="reference internal" href="#account-lockout-principal-state">Account lockout principal state</a></li> -<li><a class="reference internal" href="#kdc-replication-and-account-lockout">KDC replication and account lockout</a></li> -<li><a class="reference internal" href="#kdc-performance-and-account-lockout">KDC performance and account lockout</a></li> -<li><a class="reference internal" href="#kdc-setup-and-account-lockout">KDC setup and account lockout</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="dbtypes.html" title="Database types" - >previous</a> | - <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Account lockout">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file |