krb5: Update to 1.21.1 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
commit	0320e0d5bb9fbb5da53478b3fd80ad79b110191d (patch)
tree	e1185f75bd2d3f87b0c17f787debc3ee8648214b /doc/html/admin/lockout.html
parent	b0e4d68d5124581ae353493d69bea352de4cff8a (diff)

vendor/krb5/1.21.1

Diffstat (limited to 'doc/html/admin/lockout.html')

-rw-r--r--

doc/html/admin/lockout.html

101

1 files changed, 50 insertions, 51 deletions

diff --git a/doc/html/admin/lockout.html b/doc/html/admin/lockout.html
index ad1b66e5458c..f9c33d949ad0 100644
--- a/doc/html/admin/lockout.html
+++ b/doc/html/admin/lockout.html

@@ -1,35 +1,33 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>Account lockout — MIT Kerberos Documentation</title>

+ <title>Account lockout — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../genindex.html" />

+ <link rel="search" title="Search" href="../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />

- <link rel="up" title="For administrators" href="index.html" />

- <link rel="prev" title="Database administration" href="database.html" />

+ <link rel="prev" title="Database types" href="dbtypes.html" />

</head>

<body>

@@ -42,7 +40,7 @@

<a href="../index.html" title="Full Table of Contents"

accesskey="C">Contents</a> |

- <a href="database.html" title="Database administration"

+ <a href="dbtypes.html" title="Database types"

accesskey="P">previous</a> |

<a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end"

accesskey="N">next</a> |

@@ -61,14 +59,14 @@

- <div class="body">

+ <div class="body" role="main">

-<h1>Account lockout<a class="headerlink" href="#account-lockout" title="Permalink to this headline">¶</a></h1>

+<span id="lockout"></span><h1>Account lockout<a class="headerlink" href="#account-lockout" title="Permalink to this headline">¶</a></h1>

<p>As of release 1.8, the KDC can be configured to lock out principals

after a number of failed authentication attempts within a period of

time. Account lockout can make it more difficult to attack a

-principal’s password by brute force, but also makes it easy for an

+principal’s password by brute force, but also makes it easy for an

attacker to deny access to a principal.</p>

<h2>Configuring account lockout<a class="headerlink" href="#configuring-account-lockout" title="Permalink to this headline">¶</a></h2>

@@ -78,27 +76,27 @@ know whether or not a client successfully decrypted the ticket it

issued. It is also important to set the <strong>-allow_svr</strong> flag on a

principal to protect its password from an off-line dictionary attack

through a TGS request. You can set these flags on a principal with

-<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> as follows:</p>

-<div class="highlight-python"><div class="highlight"><pre>kadmin: modprinc +requires_preauth -allow_svr PRINCNAME

+<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> as follows:</p>

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">PRINCNAME</span>

</pre></div>

</div>

-<p>Account lockout parameters are configured via <a class="reference internal" href="database.html#policies"><em>policy objects</em></a>. There may be an existing policy associated with user

-principals (such as the “default” policy), or you may need to create a

+<p>Account lockout parameters are configured via <a class="reference internal" href="database.html#policies"><span class="std std-ref">policy objects</span></a>. There may be an existing policy associated with user

+principals (such as the “default” policy), or you may need to create a

new one and associate it with each user principal.</p>

<p>The policy parameters related to account lockout are:</p>

-<li><a class="reference internal" href="database.html#policy-maxfailure"><em>maxfailure</em></a>: the number of failed attempts

+<li><a class="reference internal" href="admin_commands/kadmin_local.html#policy-maxfailure"><span class="std std-ref">maxfailure</span></a>: the number of failed attempts

before the principal is locked out</li>

-<li><a class="reference internal" href="database.html#policy-failurecountinterval"><em>failurecountinterval</em></a>: the

+<li><a class="reference internal" href="admin_commands/kadmin_local.html#policy-failurecountinterval"><span class="std std-ref">failurecountinterval</span></a>: the

allowable interval between failed attempts</li>

-<li><a class="reference internal" href="database.html#policy-lockoutduration"><em>lockoutduration</em></a>: the amount of time

+<li><a class="reference internal" href="admin_commands/kadmin_local.html#policy-lockoutduration"><span class="std std-ref">lockoutduration</span></a>: the amount of time

a principal is locked out for</li>

</ul>

<p>Here is an example of setting these parameters on a new policy and

associating it with a principal:</p>

-<div class="highlight-python"><div class="highlight"><pre>kadmin: addpol -maxfailure 10 -failurecountinterval 180

- -lockoutduration 60 lockout_policy

-kadmin: modprinc -policy lockout_policy PRINCNAME

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addpol</span> <span class="o">-</span><span class="n">maxfailure</span> <span class="mi">10</span> <span class="o">-</span><span class="n">failurecountinterval</span> <span class="mi">180</span>

+ <span class="o">-</span><span class="n">lockoutduration</span> <span class="mi">60</span> <span class="n">lockout_policy</span>

+<span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">policy</span> <span class="n">lockout_policy</span> <span class="n">PRINCNAME</span>

</pre></div>

</div>

@@ -108,7 +106,7 @@ kadmin: modprinc -policy lockout_policy PRINCNAME

principal (hopefully not one that might be in use) multiple times with

the wrong password. For instance, if <strong>maxfailure</strong> is set to 2, you

might see:</p>

-<div class="highlight-python"><div class="highlight"><pre>$ kinit user

+<div class="highlight-default"><div class="highlight"><pre><span></span>$ kinit user

Password for user@KRBTEST.COM:

kinit: Password incorrect while getting initial credentials

$ kinit user

@@ -132,18 +130,18 @@ lockout:</p>

the account lockout system to function, but may be of administrative

interest. These fields can be observed with the <strong>getprinc</strong> kadmin

command. For example:</p>

-<div class="highlight-python"><div class="highlight"><pre>kadmin: getprinc user

-Principal: user@KRBTEST.COM

-...

-Last successful authentication: [never]

-Last failed authentication: Mon Dec 03 12:30:33 EST 2012

-Failed password attempts: 2

-...

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">getprinc</span> <span class="n">user</span>

+<span class="n">Principal</span><span class="p">:</span> <span class="n">user</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span>

+<span class="o">...</span>

+<span class="n">Last</span> <span class="n">successful</span> <span class="n">authentication</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span>

+<span class="n">Last</span> <span class="n">failed</span> <span class="n">authentication</span><span class="p">:</span> <span class="n">Mon</span> <span class="n">Dec</span> <span class="mi">03</span> <span class="mi">12</span><span class="p">:</span><span class="mi">30</span><span class="p">:</span><span class="mi">33</span> <span class="n">EST</span> <span class="mi">2012</span>

+<span class="n">Failed</span> <span class="n">password</span> <span class="n">attempts</span><span class="p">:</span> <span class="mi">2</span>

+<span class="o">...</span>

</pre></div>

</div>

<p>A principal which has been locked out can be administratively unlocked

with the <strong>-unlock</strong> option to the <strong>modprinc</strong> kadmin command:</p>

-<div class="highlight-python"><div class="highlight"><pre>kadmin: modprinc -unlock PRINCNAME

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">unlock</span> <span class="n">PRINCNAME</span>

</pre></div>

</div>

<p>This command will reset the number of failed attempts to 0.</p>

@@ -151,16 +149,16 @@ with the <strong>-unlock</strong> option to the <strong>modprinc</strong> kadmin

<h2>KDC replication and account lockout<a class="headerlink" href="#kdc-replication-and-account-lockout" title="Permalink to this headline">¶</a></h2>

<p>The account lockout state of a principal is not replicated by either

-traditional <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><em>kprop</em></a> or incremental propagation. Because of

+traditional <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> or incremental propagation. Because of

this, the number of attempts an attacker can make within a time period

is multiplied by the number of KDCs. For instance, if the

<strong>maxfailure</strong> parameter on a policy is 10 and there are four KDCs in

-the environment (a master and three slaves), an attacker could make as

-many as 40 attempts before the principal is locked out on all four

+the environment (a primary and three replicas), an attacker could make

+as many as 40 attempts before the principal is locked out on all four

KDCs.</p>

-<p>An administrative unlock is propagated from the master to the slave

+<p>An administrative unlock is propagated from the primary to the replica

KDCs during the next propagation. Propagation of an administrative

-unlock will cause the counter of failed attempts on each slave to

+unlock will cause the counter of failed attempts on each replica to

reset to 1 on the next failure.</p>

<p>If a KDC environment uses a replication strategy other than kprop or

incremental propagation, such as the LDAP KDB module with multi-master

@@ -168,7 +166,7 @@ LDAP replication, then account lockout state may be replicated between

KDCs and the concerns of this section may not apply.</p>

</div>

-<h2>KDC performance and account lockout<a class="headerlink" href="#kdc-performance-and-account-lockout" title="Permalink to this headline">¶</a></h2>

+<span id="disable-lockout"></span><h2>KDC performance and account lockout<a class="headerlink" href="#kdc-performance-and-account-lockout" title="Permalink to this headline">¶</a></h2>

<p>In order to fully track account lockout state, the KDC must write to

the the database on each successful and failed authentication.

Writing to the database is generally more expensive than reading from

@@ -176,12 +174,12 @@ it, so these writes may have a significant impact on KDC performance.

As of release 1.9, it is possible to turn off account lockout state

tracking in order to improve performance, by setting the

<strong>disable_last_success</strong> and <strong>disable_lockout</strong> variables in the

-database module subsection of <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. For example:</p>

-<div class="highlight-python"><div class="highlight"><pre>[dbmodules]

- DB = {

- disable_last_success = true

- disable_lockout = true

- }

+database module subsection of <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. For example:</p>

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span>

+ <span class="n">DB</span> <span class="o">=</span> <span class="p">{</span>

+ <span class="n">disable_last_success</span> <span class="o">=</span> <span class="n">true</span>

+ <span class="n">disable_lockout</span> <span class="o">=</span> <span class="n">true</span>

+ <span class="p">}</span>

</pre></div>

</div>

<p>Of the two variables, setting <strong>disable_last_success</strong> will usually

@@ -228,15 +226,16 @@ read access, account lockout will not function.</p>

<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>

<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>

<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>

-<li class="toctree-l2 current"><a class="current reference internal" href="">Account lockout</a><ul class="simple">

-</ul>

-</li>

+<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li>

+<li class="toctree-l2 current"><a class="current reference internal" href="#">Account lockout</a></li>

<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>

<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>

<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>

<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>

<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>

<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>

+<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li>

+<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li>

<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>

<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>

<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>

@@ -276,14 +275,14 @@ read access, account lockout will not function.</p>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

</div>

<a href="../index.html" title="Full Table of Contents"

>Contents</a> |

- <a href="database.html" title="Database administration"

+ <a href="dbtypes.html" title="Database types"

>previous</a> |

<a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end"

>next</a> |