svn rev #24932: trunk/ doc/ src/kadmin/cli/

ghudson@MIT.EDU ghudson at MIT.EDU
Mon May 16 00:20:55 EDT 2011 

http://src.mit.edu/fisheye/changelog/krb5/?cs=24932
Commit By: ghudson
Log Message:
ticket: 6910

Document the lockout-related options in kadmin (modprinc -unlock and
addpol/modpol -maxfailure, -failurecountinterval, and
-lockoutduration), in the man page and in admin.texinfo.  Based on
text submitted by shawn.emery at oracle.com.



Changed Files:
U   trunk/doc/admin.texinfo
U   trunk/src/kadmin/cli/kadmin.M
Modified: trunk/doc/admin.texinfo
===================================================================
--- trunk/doc/admin.texinfo	2011-05-16 03:54:16 UTC (rev 24931)
+++ trunk/doc/admin.texinfo	2011-05-16 04:20:55 UTC (rev 24932)
@@ -2434,6 +2434,11 @@
 enctype-salttype pairs.  This will not function against kadmin daemons
 earlier than krb5-1.2.  See @ref{Supported Encryption Types} and
 @ref{Salts} for available types.
+
+ at item -unlock
+Unlocks a locked principal (one which has received too many failed
+authentication attempts without enough time between them according to
+its password policy) so that it can successfully authenticate.
 @end table
 
 If you want to just use the default values, all you need to do is:
@@ -2778,6 +2783,22 @@
 
 @item -history @i{number}
 Sets the number of past keys kept for a principal to @i{number}. This option is not supported for LDAP database.
+
+ at item -maxfailure @i{maxnumber}
+Sets the maximum number of authentication failures before the principal
+is locked.  Authentication failures are only tracked for principals
+which require preauthentication.
+
+ at item -failurecountinterval @i{failuretime}
+Sets the allowable time between authentication failures.  If an
+authentication failure happens after @i{failuretime} has elapsed since
+the previous failure, the number of authentication failures is reset to
+1.
+
+ at item -lockoutduration @i{lockouttime}
+Sets the duration for which the principal is locked from authenticating
+if too many authentication failures occur without the specified failure
+count interval elapsing.
 @end table 
 @c **** An example here would be nice.  ****
 

Modified: trunk/src/kadmin/cli/kadmin.M
===================================================================
--- trunk/src/kadmin/cli/kadmin.M	2011-05-16 03:54:16 UTC (rev 24931)
+++ trunk/src/kadmin/cli/kadmin.M	2011-05-16 04:20:55 UTC (rev 24932)
@@ -526,6 +526,11 @@
 if the Kerberos principal is not already associated with a LDAP object. 
 .RE
 .TP
+.B \-unlock
+Unlocks a locked principal (one which has received too many failed
+authentication attempts without enough time between them according to
+its password policy) so that it can successfully authenticate.
+.TP
 ERRORS:
 KADM5_AUTH_MODIFY (requires "modify" privilege)
 KADM5_UNK_PRINC (principal does not exist)
@@ -689,6 +694,22 @@
 .TP
 \fB\-history\fP \fInumber\fP
 sets the number of past keys kept for a principal. This option is not supported for LDAP database
+.TP
+\fB\-maxfailure\fP \fImaxnumber\fP
+sets the maximum number of authentication failures before the
+principal is locked.  Authentication failures are only tracked for
+principals which require preauthentication.
+.TP
+\fB\-failurecountinterval\fP \fIfailuretime\fP
+sets the allowable time between authentication failures.  If an
+authentication failure happens after \fIfailuretime\fP has elapsed
+since the previous failure, the number of authentication failures is
+reset to 1.
+.TP
+\fB\-lockoutduration\fP \fIlockouttime\fP
+sets the duration for which the principal is locked from
+authenticating if too many authentication failures occur without the
+specified failure count interval elapsing.
 .sp
 .nf
 .TP

More information about the cvs-krb5 mailing list