diff options
Diffstat (limited to 'doc/html/admin/lockout.html')
| -rw-r--r-- | doc/html/admin/lockout.html | 300 |
1 files changed, 300 insertions, 0 deletions
diff --git a/doc/html/admin/lockout.html b/doc/html/admin/lockout.html new file mode 100644 index 000000000000..96cae8efd487 --- /dev/null +++ b/doc/html/admin/lockout.html @@ -0,0 +1,300 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>Account lockout — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../_static/jquery.js"></script> + <script type="text/javascript" src="../_static/underscore.js"></script> + <script type="text/javascript" src="../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../about.html" /> + <link rel="copyright" title="Copyright" href="../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> + <link rel="up" title="For administrators" href="index.html" /> + <link rel="next" title="Configuring Kerberos with OpenLDAP back-end" href="conf_ldap.html" /> + <link rel="prev" title="Database administration" href="database.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="database.html" title="Database administration" + accesskey="P">previous</a> | + <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end" + accesskey="N">next</a> | + <a href="../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Account lockout">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="account-lockout"> +<h1>Account lockout<a class="headerlink" href="#account-lockout" title="Permalink to this headline">¶</a></h1> +<p>As of release 1.8, the KDC can be configured to lock out principals +after a number of failed authentication attempts within a period of +time. Account lockout can make it more difficult to attack a +principal’s password by brute force, but also makes it easy for an +attacker to deny access to a principal.</p> +<div class="section" id="configuring-account-lockout"> +<h2>Configuring account lockout<a class="headerlink" href="#configuring-account-lockout" title="Permalink to this headline">¶</a></h2> +<p>Account lockout only works for principals with the +<strong>+requires_preauth</strong> flag set. Without this flag, the KDC cannot +know whether or not a client successfully decrypted the ticket it +issued. It is also important to set the <strong>-allow_svr</strong> flag on a +principal to protect its password from an off-line dictionary attack +through a TGS request. You can set these flags on a principal with +<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> as follows:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: modprinc +requires_preauth -allow_svr PRINCNAME +</pre></div> +</div> +<p>Account lockout parameters are configured via <a class="reference internal" href="database.html#policies"><em>policy objects</em></a>. There may be an existing policy associated with user +principals (such as the “default” policy), or you may need to create a +new one and associate it with each user principal.</p> +<p>The policy parameters related to account lockout are:</p> +<ul class="simple"> +<li><a class="reference internal" href="database.html#policy-maxfailure"><em>maxfailure</em></a>: the number of failed attempts +before the principal is locked out</li> +<li><a class="reference internal" href="database.html#policy-failurecountinterval"><em>failurecountinterval</em></a>: the +allowable interval between failed attempts</li> +<li><a class="reference internal" href="database.html#policy-lockoutduration"><em>lockoutduration</em></a>: the amount of time +a principal is locked out for</li> +</ul> +<p>Here is an example of setting these parameters on a new policy and +associating it with a principal:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: addpol -maxfailure 10 -failurecountinterval 180 + -lockoutduration 60 lockout_policy +kadmin: modprinc -policy lockout_policy PRINCNAME +</pre></div> +</div> +</div> +<div class="section" id="testing-account-lockout"> +<h2>Testing account lockout<a class="headerlink" href="#testing-account-lockout" title="Permalink to this headline">¶</a></h2> +<p>To test that account lockout is working, try authenticating as the +principal (hopefully not one that might be in use) multiple times with +the wrong password. For instance, if <strong>maxfailure</strong> is set to 2, you +might see:</p> +<div class="highlight-python"><div class="highlight"><pre>$ kinit user +Password for user@KRBTEST.COM: +kinit: Password incorrect while getting initial credentials +$ kinit user +Password for user@KRBTEST.COM: +kinit: Password incorrect while getting initial credentials +$ kinit user +kinit: Client's credentials have been revoked while getting initial credentials +</pre></div> +</div> +</div> +<div class="section" id="account-lockout-principal-state"> +<h2>Account lockout principal state<a class="headerlink" href="#account-lockout-principal-state" title="Permalink to this headline">¶</a></h2> +<p>A principal entry keeps three pieces of state related to account +lockout:</p> +<ul class="simple"> +<li>The time of last successful authentication</li> +<li>The time of last failed authentication</li> +<li>A counter of failed attempts</li> +</ul> +<p>The time of last successful authentication is not actually needed for +the account lockout system to function, but may be of administrative +interest. These fields can be observed with the <strong>getprinc</strong> kadmin +command. For example:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: getprinc user +Principal: user@KRBTEST.COM +... +Last successful authentication: [never] +Last failed authentication: Mon Dec 03 12:30:33 EST 2012 +Failed password attempts: 2 +... +</pre></div> +</div> +<p>A principal which has been locked out can be administratively unlocked +with the <strong>-unlock</strong> option to the <strong>modprinc</strong> kadmin command:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: modprinc -unlock PRINCNAME +</pre></div> +</div> +<p>This command will reset the number of failed attempts to 0.</p> +</div> +<div class="section" id="kdc-replication-and-account-lockout"> +<h2>KDC replication and account lockout<a class="headerlink" href="#kdc-replication-and-account-lockout" title="Permalink to this headline">¶</a></h2> +<p>The account lockout state of a principal is not replicated by either +traditional <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><em>kprop</em></a> or incremental propagation. Because of +this, the number of attempts an attacker can make within a time period +is multiplied by the number of KDCs. For instance, if the +<strong>maxfailure</strong> parameter on a policy is 10 and there are four KDCs in +the environment (a master and three slaves), an attacker could make as +many as 40 attempts before the principal is locked out on all four +KDCs.</p> +<p>An administrative unlock is propagated from the master to the slave +KDCs during the next propagation. Propagation of an administrative +unlock will cause the counter of failed attempts on each slave to +reset to 1 on the next failure.</p> +<p>If a KDC environment uses a replication strategy other than kprop or +incremental propagation, such as the LDAP KDB module with multi-master +LDAP replication, then account lockout state may be replicated between +KDCs and the concerns of this section may not apply.</p> +</div> +<div class="section" id="kdc-performance-and-account-lockout"> +<h2>KDC performance and account lockout<a class="headerlink" href="#kdc-performance-and-account-lockout" title="Permalink to this headline">¶</a></h2> +<p>In order to fully track account lockout state, the KDC must write to +the the database on each successful and failed authentication. +Writing to the database is generally more expensive than reading from +it, so these writes may have a significant impact on KDC performance. +As of release 1.9, it is possible to turn off account lockout state +tracking in order to improve performance, by setting the +<strong>disable_last_success</strong> and <strong>disable_lockout</strong> variables in the +database module subsection of <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. For example:</p> +<div class="highlight-python"><div class="highlight"><pre>[dbmodules] + DB = { + disable_last_success = true + disable_lockout = true + } +</pre></div> +</div> +<p>Of the two variables, setting <strong>disable_last_success</strong> will usually +have the largest positive impact on performance, and will still allow +account lockout policies to operate. However, it will make it +impossible to observe the last successful authentication time with +kadmin.</p> +</div> +<div class="section" id="kdc-setup-and-account-lockout"> +<h2>KDC setup and account lockout<a class="headerlink" href="#kdc-setup-and-account-lockout" title="Permalink to this headline">¶</a></h2> +<p>To update the account lockout state on principals, the KDC must be +able to write to the principal database. For the DB2 module, no +special setup is required. For the LDAP module, the KDC DN must be +granted write access to the principal objects. If the KDC DN has only +read access, account lockout will not function.</p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">Account lockout</a><ul> +<li><a class="reference internal" href="#configuring-account-lockout">Configuring account lockout</a></li> +<li><a class="reference internal" href="#testing-account-lockout">Testing account lockout</a></li> +<li><a class="reference internal" href="#account-lockout-principal-state">Account lockout principal state</a></li> +<li><a class="reference internal" href="#kdc-replication-and-account-lockout">KDC replication and account lockout</a></li> +<li><a class="reference internal" href="#kdc-performance-and-account-lockout">KDC performance and account lockout</a></li> +<li><a class="reference internal" href="#kdc-setup-and-account-lockout">KDC setup and account lockout</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="">Account lockout</a><ul class="simple"> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> +<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="database.html" title="Database administration" + >previous</a> | + <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end" + >next</a> | + <a href="../genindex.html" title="General Index" + >index</a> | + <a href="../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Account lockout">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file |