diff options
Diffstat (limited to 'doc/html/admin/lockout.html')
| -rw-r--r-- | doc/html/admin/lockout.html | 36 |
1 files changed, 17 insertions, 19 deletions
diff --git a/doc/html/admin/lockout.html b/doc/html/admin/lockout.html index 8f6d4507ead1..3bedd7fb93dd 100644 --- a/doc/html/admin/lockout.html +++ b/doc/html/admin/lockout.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Account lockout — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,14 +51,14 @@ <div class="body" role="main"> <section id="account-lockout"> -<span id="lockout"></span><h1>Account lockout<a class="headerlink" href="#account-lockout" title="Permalink to this headline">¶</a></h1> +<span id="lockout"></span><h1>Account lockout<a class="headerlink" href="#account-lockout" title="Link to this heading">¶</a></h1> <p>As of release 1.8, the KDC can be configured to lock out principals after a number of failed authentication attempts within a period of time. Account lockout can make it more difficult to attack a principal’s password by brute force, but also makes it easy for an attacker to deny access to a principal.</p> <section id="configuring-account-lockout"> -<h2>Configuring account lockout<a class="headerlink" href="#configuring-account-lockout" title="Permalink to this headline">¶</a></h2> +<h2>Configuring account lockout<a class="headerlink" href="#configuring-account-lockout" title="Link to this heading">¶</a></h2> <p>Account lockout only works for principals with the <strong>+requires_preauth</strong> flag set. Without this flag, the KDC cannot know whether or not a client successfully decrypted the ticket it @@ -92,7 +90,7 @@ associating it with a principal:</p> </div> </section> <section id="testing-account-lockout"> -<h2>Testing account lockout<a class="headerlink" href="#testing-account-lockout" title="Permalink to this headline">¶</a></h2> +<h2>Testing account lockout<a class="headerlink" href="#testing-account-lockout" title="Link to this heading">¶</a></h2> <p>To test that account lockout is working, try authenticating as the principal (hopefully not one that might be in use) multiple times with the wrong password. For instance, if <strong>maxfailure</strong> is set to 2, you @@ -109,7 +107,7 @@ kinit: Client's credentials have been revoked while getting initial credenti </div> </section> <section id="account-lockout-principal-state"> -<h2>Account lockout principal state<a class="headerlink" href="#account-lockout-principal-state" title="Permalink to this headline">¶</a></h2> +<h2>Account lockout principal state<a class="headerlink" href="#account-lockout-principal-state" title="Link to this heading">¶</a></h2> <p>A principal entry keeps three pieces of state related to account lockout:</p> <ul class="simple"> @@ -138,7 +136,7 @@ with the <strong>-unlock</strong> option to the <strong>modprinc</strong> kadmin <p>This command will reset the number of failed attempts to 0.</p> </section> <section id="kdc-replication-and-account-lockout"> -<h2>KDC replication and account lockout<a class="headerlink" href="#kdc-replication-and-account-lockout" title="Permalink to this headline">¶</a></h2> +<h2>KDC replication and account lockout<a class="headerlink" href="#kdc-replication-and-account-lockout" title="Link to this heading">¶</a></h2> <p>The account lockout state of a principal is not replicated by either traditional <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> or incremental propagation. Because of this, the number of attempts an attacker can make within a time period @@ -157,7 +155,7 @@ LDAP replication, then account lockout state may be replicated between KDCs and the concerns of this section may not apply.</p> </section> <section id="kdc-performance-and-account-lockout"> -<span id="disable-lockout"></span><h2>KDC performance and account lockout<a class="headerlink" href="#kdc-performance-and-account-lockout" title="Permalink to this headline">¶</a></h2> +<span id="disable-lockout"></span><h2>KDC performance and account lockout<a class="headerlink" href="#kdc-performance-and-account-lockout" title="Link to this heading">¶</a></h2> <p>In order to fully track account lockout state, the KDC must write to the the database on each successful and failed authentication. Writing to the database is generally more expensive than reading from @@ -180,7 +178,7 @@ impossible to observe the last successful authentication time with kadmin.</p> </section> <section id="kdc-setup-and-account-lockout"> -<h2>KDC setup and account lockout<a class="headerlink" href="#kdc-setup-and-account-lockout" title="Permalink to this headline">¶</a></h2> +<h2>KDC setup and account lockout<a class="headerlink" href="#kdc-setup-and-account-lockout" title="Link to this heading">¶</a></h2> <p>To update the account lockout state on principals, the KDC must be able to write to the principal database. For the DB2 module, no special setup is required. For the LDAP module, the KDC DN must be @@ -269,8 +267,8 @@ read access, account lockout will not function.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> |