Hello,
I have recently set up a system to test the relatively new ability of Kerberos to track failed password attempts and lock out users for a given period of time if they exceed a threshold. My system is Centos 6.2 running the krb5-server-1.9-22.el6_2.1.x86_64 RPM. I have created a testuser in the Kerberos domain, and applied the policy as shown below. If I then attempt to log on to the server via SSH or to get a ticket via kinit and purposefully munge my password multiple times, it does not lock me out. Nor does getprinc reflect the failed attempts. I can't find much documentation on this feature, there doesn't seem to be any configuration options in kdc.conf or elsewhere other than in the User Policy. Even there, the kadmin man page is out of date and doesn't include the password lockout duration flags to add_policy and the like. Any pointers?
[root@hpctest-krb2 ~]# kadmin.local -q 'add_policy -maxlife "101 days" -minlength 8 -minclasses 2 -history 2 -maxfailure 3 -failurecountinterval "5min" -lockoutduration "5min" NewUser '
...
[root@hpctest-krb2 ~]# kadmin.local -q "getpol NewUser"
Authenticating as principal root/admin@TESTKDC with password.
Policy: NewUser
Maximum password life: 8726400
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 2
Number of old keys kept: 2
Reference count: 1
Maximum password failures before lockout: 3
Password failure count reset interval: 5
Password lockout duration: 5
[root@hpctest-krb2 ~]#
[root@hpctest-krb2 ~]# kadmin.local -q "getprinc testuser"
Authenticating as principal root/admin@TESTKDC with password.
Principal: testuser@TESTKDC
Expiration date: [never]
Last password change: Fri Mar 16 14:29:33 EDT 2012
Password expiration date: Mon Jun 25 14:29:33 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 0 days 20:00:00
Last modified: Fri Mar 16 14:29:33 EDT 2012 (root/admin@TESTKDC)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 1
Attributes:
Policy: NewUser
[root@hpctest-krb2 ~]# kinit testuser
Password for testuser@TESTKDC:
kinit: Password incorrect while getting initial credentials
[root@hpctest-krb2 ~]# kadmin.local -q "getprinc testuser"
Authenticating as principal root/admin@TESTKDC with password.
Principal: testuser@TESTKDC
Expiration date: [never]
Last password change: Fri Mar 16 14:29:33 EDT 2012
Password expiration date: Mon Jun 25 14:29:33 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 0 days 20:00:00
Last modified: Fri Mar 16 14:29:33 EDT 2012 (root/admin@TESTKDC)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 1
Attributes:
Policy: NewUser
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
