Skip Menu |

Date: Tue, 10 May 2011 00:35:11 -0600
From: Shawn Emery <>
Subject: Account lockout policy parameters not documented
Download (untitled) / with headers
text/plain 2.8KiB

Note: The changes below assumes that kadmin's option arguments are fixed to accept the usual time formats.

@@ -378,10 +378,16 @@
                for  setting the key of the principal.  The quotes
                are    necessary    if    there    are    multiple
                enctype-salttype  pairs.   This  will not function
                against kadmin daemons earlier than krb5-1.2.
+      -unlock
+           Unlocks the principal so that it can successfully authenticate.
+           If the principal had previously been locked due to reaching
+           maxfailure in failurecountinterval time then the principal
+           will be locked for lockoutduration time.
                kadmin: addprinc tlyu/admin
                WARNING: no policy specified for "tlyu/admin@BLEEP.COM";
                defaulting to no policy.
                Enter password for principal tlyu/admin@BLEEP.COM:
@@ -580,10 +586,27 @@
      add_policy [options] policy
           adds the named policy to the policy database.  Requires
           the  add  privilege.  Aliased to addpol.  The following
           options are available:
+      -maxfailure maxnumber
+           sets the maximum number of failures before the principal is
+           locked after authentication failures in failurecountinterval
+           time.
+      -failurecountinterval failuretime
+           sets the time after which the authentication failure count is
+           reset 0.  See the Time Formats section for the valid time
+           duration formats that you can specify for failuretime.
+      -lockoutduration lockouttime
+           sets the time in which the principal is locked from
+           authenticating if maxfailure authentication failures occur
+           within failurecountinterval time.  See the Time Formats section
+           for the valid time duration formats that you can specify for
+           lockouttime.
           -maxlife time
                sets the maximum lifetime of a password
           -minlife time
                sets the minimum lifetime of a password
@@ -651,12 +674,15 @@
                Minimum password life: 00:00:00
                Minimum password length: 6
                Minimum number of password character classes: 2
                Number of old keys kept: 5
                Reference count: 17
+               Maximum password failures before lockout: 3
+               Password failure count reset interval: 180
+               Password lockout duration: 60
                kadmin: get_policy -terse admin
-               admin     15552000  0    6    2    5    17
+               admin     15552000  0    6    2    5    17    3    180    60
                KADM5_AUTH_GET (requires the get privilege)
                KADM5_UNK_POLICY (policy does not exist)
Subject: SVN Commit

Document the lockout-related options in kadmin (modprinc -unlock and
addpol/modpol -maxfailure, -failurecountinterval, and
-lockoutduration), in the man page and in admin.texinfo. Based on
text submitted by
Commit By: ghudson
Revision: 24932
Changed Files:
U trunk/doc/admin.texinfo
U trunk/src/kadmin/cli/kadmin.M