| Date: | Tue, 10 May 2011 00:35:11 -0600 |
| From: | Shawn Emery <shawn.emery@oracle.com> |
| To: | krb5-bugs@mit.edu |
| Subject: | Account lockout policy parameters not documented |
Note: The changes below assumes that kadmin's option arguments are fixed to accept the usual time formats.
KADMIN(1):
@@ -378,10 +378,16 @@
for setting the key of the principal. The quotes
are necessary if there are multiple
enctype-salttype pairs. This will not function
against kadmin daemons earlier than krb5-1.2.
+ -unlock
+ Unlocks the principal so that it can successfully authenticate.
+ If the principal had previously been locked due to reaching
+ maxfailure in failurecountinterval time then the principal
+ will be locked for lockoutduration time.
+
EXAMPLE:
kadmin: addprinc tlyu/admin
WARNING: no policy specified for "tlyu/admin@BLEEP.COM";
defaulting to no policy.
Enter password for principal tlyu/admin@BLEEP.COM:
@@ -580,10 +586,27 @@
add_policy [options] policy
adds the named policy to the policy database. Requires
the add privilege. Aliased to addpol. The following
options are available:
+ -maxfailure maxnumber
+ sets the maximum number of failures before the principal is
+ locked after authentication failures in failurecountinterval
+ time.
+
+ -failurecountinterval failuretime
+ sets the time after which the authentication failure count is
+ reset 0. See the Time Formats section for the valid time
+ duration formats that you can specify for failuretime.
+
+ -lockoutduration lockouttime
+ sets the time in which the principal is locked from
+ authenticating if maxfailure authentication failures occur
+ within failurecountinterval time. See the Time Formats section
+ for the valid time duration formats that you can specify for
+ lockouttime.
+
-maxlife time
sets the maximum lifetime of a password
-minlife time
sets the minimum lifetime of a password
@@ -651,12 +674,15 @@
Minimum password life: 00:00:00
Minimum password length: 6
Minimum number of password character classes: 2
Number of old keys kept: 5
Reference count: 17
+ Maximum password failures before lockout: 3
+ Password failure count reset interval: 180
+ Password lockout duration: 60
kadmin: get_policy -terse admin
- admin 15552000 0 6 2 5 17
+ admin 15552000 0 6 2 5 17 3 180 60
kadmin:
ERRORS:
KADM5_AUTH_GET (requires the get privilege)
KADM5_UNK_POLICY (policy does not exist)