logo_kerberos.gif

Projects/Lockout

From K5Wiki
< Projects
Revision as of 16:46, 13 September 2009 by Lukeh (talk | contribs) (Design)

Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.



Background

This project aims to provide principal lockout functionality similar to that of Active Directory. After a certain number of preauthentication failures (the theshold) with a given time limit (the observation window), a principal will be locked out from authenticating for a certain period of time (the lockout duration).

This project has nothing to do with password complexity or ageing.

Design

Lockout policy

There are three attributes which will be associated with a Kerberos policy:

  • pw_max_fail (number of attempts)
  • pw_failcnt_interval (period after which bad preauthentication count will be reset)
  • pw_lockout_duration (period in which lockout is enforced; a duration of zero means that the principal must be manually unlocked)

There are four attributes which will be associated with each principal:

  • last_success (time of last preauthentication success)
  • last_failed (time of last preauthentication failure)
  • fail_auth_count (number of preauthentication failures)
  • lockout time

These are non-replicated attributes. The lockout time is stored in TL data; all other attributes reuse existing fields in the principal entry.

Replication

For DB2 backends, per-principal lockout state will be per KDC: replicated updates will not overwrite this information. Thus, the effective value of pw_max_fail is N * pw_max_fail, where N is the number of KDCs in the realm.

For LDAP backends, we will rely on the LDAP server to update the lockout count; we assume a password policy confirming LDAP server.

Mapping to LDAP password policy draft

  • pw_max_fail - pwdMaxFailure
  • pw_failcnt_interval - pwdFailureCountInterval
  • pw_lockout_duration duration - pwdLockoutDuration
  • last_failed - pwdFailureTime
  • fail_auth_count - number of preauthentication failures (within observation window) - n(pwdFailureTime)
  • KRB5_TL_LOCKED_TIME - pwdAccountLockedTime

Before authentication

Check whether account is already locked out:

if (locked_time != 0 &&
     stamp < locked_time + lockout_duration)
    return kdc_err_client_revoked

After authentication

Implementation details

Tools

kadmin will be enhanced to manually unlock a principal.

Status