[krbdev.mit.edu #6910] Account lockout policy parameters not documented

Shawn Emery via RT rt-comment at krbdev.mit.edu
Tue May 10 15:02:01 EDT 2011 

Note: The changes below assumes that kadmin's option arguments are fixed 
to accept the usualtime formats.

KADMIN(1):
@@ -378,10 +378,16 @@
                 for  setting the key of the principal.  The quotes
                 are    necessary    if    there    are    multiple
                 enctype-salttype  pairs.   This  will not function
                 against kadmin daemons earlier than krb5-1.2.

+      -unlock
+           Unlocks the principal so that it can successfully authenticate.
+           If the principal had previously been locked due to reaching
+           maxfailure in failurecountinterval time then the principal
+           will be locked for lockoutduration time.
+
            EXAMPLE:
                 kadmin: addprinc tlyu/admin
                 WARNING: no policy specified for "tlyu/admin at BLEEP.COM";
                 defaulting to no policy.
                 Enter password for principal tlyu/admin at BLEEP.COM:
@@ -580,10 +586,27 @@
       add_policy [options] policy
            adds the named policy to the policy database.  Requires
            the  add  privilege.  Aliased to addpol.  The following
            options are available:

+      -maxfailure maxnumber
+           sets the maximum number of failures before the principal is
+           locked after authentication failures in failurecountinterval
+           time.
+
+      -failurecountinterval failuretime
+           sets the time after which the authentication failure count is
+           reset 0.  See the Time Formats section for the valid time
+           duration formats that you can specify for failuretime.
+
+      -lockoutduration lockouttime
+           sets the time in which the principal is locked from
+           authenticating if maxfailure authentication failures occur
+           within failurecountinterval time.  See the Time Formats section
+           for the valid time duration formats that you can specify for
+           lockouttime.
+
            -maxlife time
                 sets the maximum lifetime of a password

            -minlife time
                 sets the minimum lifetime of a password
@@ -651,12 +674,15 @@
                 Minimum password life: 00:00:00
                 Minimum password length: 6
                 Minimum number of password character classes: 2
                 Number of old keys kept: 5
                 Reference count: 17
+               Maximum password failures before lockout: 3
+               Password failure count reset interval: 180
+               Password lockout duration: 60
                 kadmin: get_policy -terse admin
-               admin     15552000  0    6    2    5    17
+               admin     15552000  0    6    2    5    17    3    
180    60
                 kadmin:

            ERRORS:
                 KADM5_AUTH_GET (requires the get privilege)
                 KADM5_UNK_POLICY (policy does not exist)

More information about the krb5-bugs mailing list