Lockout

Greg Hudson ghudson at MIT.EDU
Wed Oct 7 11:56:01 EDT 2009 

A few weeks ago, I asked Luke to think about whether it is really
necessary to add a "lockout time" attribute for the purposes of account
lockout.  Because the lockout time attribute is new (the other three
attributes already exist in the DB schema), it adds additional code
complexity because it must be represented in TL data.  My idea is that
you can deduce whether the account is locked out from the fail count,
and can determine the time of lockout from the last preauth failure
time.

I believe I mostly have Luke convinced, but we agreed that I should
bring the issue up for discussion here before he does the work of
simplifying the code.

Note that this change causes lockout state to be dynamically derived
from the policy.  As a result:

  1. If you increase the number of allowed failures in the policy,
locked accounts will become unlocked.

  2. If you decrease the number of allowed failures in the policy,
unlocked accounts which have received failures could become locked.
(However, note that any affected accounts were only "unlocked" in some
theoretical sense.  Successful preauth attempts reset the failure count,
so no user could have observed the fact that his or her account was
unlocked before the policy change.)

I could see (1) used to justify the addition of a new field, but I still
don't think it's worth the complexity.  I don't think (2) is a concern.

The new pseudo-code prior to the preauth check would be:

  if (entry.fail_auth_count >= policy.max_fail &&
      (policy.lockout_duration == 0 ||
       now < entry.last_failed + policy.lockout_duration))
    result ::= CLIENT_REVOKED

and after the preauth check:

  if ( preauth_success )
  {
      entry.fail_auth_count ::= 0
      entry.last_success ::= now
  }
  else if ( preauth_failure )
  {
      if (policy.failcnt_interval != 0 &&
          now > entry.last_failed + policy.failcnt_interval)
      {
          /* automatically reset fail_auth_count after failcnt_interval */
          entry.fail_auth_count ::= 0
      }

      entry.last_failed ::= now
      entry.fail_auth_count ::= entry.fail_auth_count + 1
  }

On Tue, 2009-09-15 at 14:56 -0400, Luke Howard wrote:
> For review:
> 
> 	http://k5wiki.kerberos.org/wiki/Projects/Lockout
> 
> Note: code is not well tested (in case of LDAP, untested).
> 
> -- Luke
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list