Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-RT-Original-Encoding: iso-8859-1
Content-Length: 7649
Note: The changes below assumes that kadmin's
option arguments are fixed to accept the usual time
formats.
KADMIN(1):
@@ -378,10 +378,16 @@
for setting the key of the principal. The
quotes
are necessary if there are
multiple
enctype-salttype pairs. This will not
function
against kadmin daemons earlier than krb5-1.2.
+ -unlock
+ Unlocks the principal so that it can successfully
authenticate.
+ If the principal had previously been locked due to
reaching
+ maxfailure in failurecountinterval time then the
principal
+ will be locked for lockoutduration time.
+
EXAMPLE:
kadmin: addprinc tlyu/admin
WARNING: no policy specified for
"tlyu/admin@BLEEP.COM";
defaulting to no policy.
Enter password for principal
tlyu/admin@BLEEP.COM:
@@ -580,10 +586,27 @@
add_policy [options] policy
adds the named policy to the policy database.
Requires
the add privilege. Aliased to addpol. The
following
options are available:
+ -maxfailure maxnumber
+ sets the maximum number of failures before the
principal is
+ locked after authentication failures in
failurecountinterval
+ time.
+
+ -failurecountinterval failuretime
+ sets the time after which the authentication failure
count is
+ reset 0. See the Time Formats section for the valid
time
+ duration formats that you can specify for
failuretime.
+
+ -lockoutduration lockouttime
+ sets the time in which the principal is locked from
+ authenticating if maxfailure authentication failures
occur
+ within failurecountinterval time. See the Time
Formats section
+ for the valid time duration formats that you can
specify for
+ lockouttime.
+
-maxlife time
sets the maximum lifetime of a password
-minlife time
sets the minimum lifetime of a password
@@ -651,12 +674,15 @@
Minimum password life: 00:00:00
Minimum password length: 6
Minimum number of password character classes: 2
Number of old keys kept: 5
Reference count: 17
+ Maximum password failures before lockout: 3
+ Password failure count reset interval: 180
+ Password lockout duration: 60
kadmin: get_policy -terse admin
- admin 15552000 0 6 2 5 17
+ admin 15552000 0 6 2 5 17
3 180 60
kadmin:
ERRORS:
KADM5_AUTH_GET (requires the get privilege)
KADM5_UNK_POLICY (policy does not exist)