Hello,
? I have recently set up a system to test the relatively new ability of Kerberos
to track failed password attempts and lock out users for a given period of time
if they exceed a threshold.? My system is Centos 6.2 running the
krb5-server-1.9-22.el6_2.1.x86_64 RPM.? I have created a testuser in the
Kerberos domain, and applied the policy as shown below.? If I then attempt to
log on to the server via SSH or to get a ticket via kinit and purposefully munge
my password multiple times, it does not lock me out.? Nor does getprinc reflect
the failed attempts.? I can't find much documentation on this feature, there
doesn't seem to be any configuration options in kdc.conf or elsewhere other
than in the User Policy.? Even there, the kadmin man page is out of date and
doesn't include the password lockout duration flags to add_policy and the
like.? Any pointers?
[root at hpctest-krb2 ~]# kadmin.local -q 'add_policy -maxlife "101
days" -minlength 8 -minclasses 2 -history 2 -maxfailure 3
-failurecountinterval "5min" -lockoutduration "5min" NewUser
'
...
[root at hpctest-krb2 ~]# kadmin.local -q "getpol NewUser"
Authenticating as principal root/admin at TESTKDC with password.
Policy: NewUser
Maximum password life: 8726400
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 2
Number of old keys kept: 2
Reference count: 1
Maximum password failures before lockout: 3
Password failure count reset interval: 5
Password lockout duration: 5
[root at hpctest-krb2 ~]#
[root at hpctest-krb2 ~]# kadmin.local -q "getprinc testuser"
Authenticating as principal root/admin at TESTKDC with password.
Principal: testuser at TESTKDC
Expiration date: [never]
Last password change: Fri Mar 16 14:29:33 EDT 2012
Password expiration date: Mon Jun 25 14:29:33 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 0 days 20:00:00
Last modified: Fri Mar 16 14:29:33 EDT 2012 (root/admin at TESTKDC)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 1
Attributes:
Policy: NewUser
[root at hpctest-krb2 ~]# kinit testuser
Password for testuser at TESTKDC:
kinit: Password incorrect while getting initial credentials
[root at hpctest-krb2 ~]# kadmin.local -q "getprinc testuser"
Authenticating as principal root/admin at TESTKDC with password.
Principal: testuser at TESTKDC
Expiration date: [never]
Last password change: Fri Mar 16 14:29:33 EDT 2012
Password expiration date: Mon Jun 25 14:29:33 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 0 days 20:00:00
Last modified: Fri Mar 16 14:29:33 EDT 2012 (root/admin at TESTKDC)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 1
Attributes:
Policy: NewUser
