Difference between revisions of "Projects/Lockout"
(→Design) |
|||
Line 33: | Line 33: | ||
TBD: We might also set DISALLOW_ALL_TIX for backwards compatibility, although we will need to note whether this was already set so we can restore it (which has a race condition). Ultimately this will be difficult to do properly unless all KDCs are 1.8, so we will have to find the best compromise. I would prefer to distinguish between a principal with DISALLOW_ALL_TIX set and a locked out principal, because they are different things (and the latter can be computed purely from reading the time the principal was locked out). |
TBD: We might also set DISALLOW_ALL_TIX for backwards compatibility, although we will need to note whether this was already set so we can restore it (which has a race condition). Ultimately this will be difficult to do properly unless all KDCs are 1.8, so we will have to find the best compromise. I would prefer to distinguish between a principal with DISALLOW_ALL_TIX set and a locked out principal, because they are different things (and the latter can be computed purely from reading the time the principal was locked out). |
||
− | TBD: in Active |
+ | TBD: in Active Directory, the preauthentication failure time and count are non-replicated attributes (for performance; only the fact an principal is locked out is replicated). Can we do this with the existing KDB replication architecture? How can we replication account lockout status without a multi-master replication architecture? Will we need replication protocol extensions? |
===Before authentication=== |
===Before authentication=== |
||
Line 41: | Line 41: | ||
<pre> |
<pre> |
||
if ( lockout time + lockout duration < now ) |
if ( lockout time + lockout duration < now ) |
||
− | principal is locked, return |
+ | principal is locked, return KDC_ERR_CLIENT_REVOKED or similar |
</pre> |
</pre> |
||
===After authentication=== |
===After authentication=== |
||
− | Check whether lockout observation window has closed |
+ | Check whether lockout observation window has closed; if so, reset preauthentication failure count. |
<pre> |
<pre> |
||
− | if ( |
+ | if ( lockout observation window != 0 && bad preauthentication time + lockout observation window > now ) |
+ | { |
||
preauthentication failure count ::= 0 |
preauthentication failure count ::= 0 |
||
+ | } |
||
</pre> |
</pre> |
||
Revision as of 15:22, 20 August 2009
Contents
Background
This project aims to provide principal lockout functionality similar to that of Active Directory. After a certain number of preauthentication failures (the theshold) with a given time limit (the observation window), a principal will be locked out from authenticating for a certain period of time (the lockout duration).
This project has nothing to do with password complexity or ageing.
It is important that deploying this in a mixed environment of 1.8 and pre-1.8 KDCs does not create any security exposures.
Design
Lockout policy
There are three attributes which will be associated with a Kerberos policy:
- lockout threshold (number of attempts)
- lockout observation window (period after which bad preauthentication count will be reset)
- lockout duration (period in which lockout is enforced; a duration of zero means that the principal must be manually unlocked)
TBD: is it possible to extend osa_policy_ent_rec with these variables (given the structure is versioned).
There are three attributes which will be associated with each principal:
- time of last preauthentication failure
- number of preauthentication failures (within observation window)
- time the principal was locked out
These will be encoded in TL data for backwards compatibility with existing KDCs.
TBD: We might also set DISALLOW_ALL_TIX for backwards compatibility, although we will need to note whether this was already set so we can restore it (which has a race condition). Ultimately this will be difficult to do properly unless all KDCs are 1.8, so we will have to find the best compromise. I would prefer to distinguish between a principal with DISALLOW_ALL_TIX set and a locked out principal, because they are different things (and the latter can be computed purely from reading the time the principal was locked out).
TBD: in Active Directory, the preauthentication failure time and count are non-replicated attributes (for performance; only the fact an principal is locked out is replicated). Can we do this with the existing KDB replication architecture? How can we replication account lockout status without a multi-master replication architecture? Will we need replication protocol extensions?
Before authentication
Check whether account is already locked out:
if ( lockout time + lockout duration < now ) principal is locked, return KDC_ERR_CLIENT_REVOKED or similar
After authentication
Check whether lockout observation window has closed; if so, reset preauthentication failure count.
if ( lockout observation window != 0 && bad preauthentication time + lockout observation window > now ) { preauthentication failure count ::= 0 }
After preauthentication failure
Record authentication failure and possibly lock account out:
preauthentication failure time ::= now preauthentication failure count ::= preauthentication failure count + 1 if ( lockout threshold != 0 && preauthentication failure count >= lockout threshold ) { lockout time ::= now /* account is now locked */ attributes ::= attributes | DISALLOW_ALL_TIX }
After preauthentication success
preauthentication failure count ::= 0
if ( lockout duration != 0 && lockout time != 0 ) lockout time ::= 0
Implementation details
Plan to implement with the DB backend first, then LDAP. Code will be shared where possible, but the bulk of code will be within the backend, as I don't wish to enforce this lockout model on other backend implementers (such as Novell).
Tools
kadmin will be enhanced to manually unlock a principal.
Status
No code written yet.