Difference between revisions of "Projects/Lockout"
(→Lockout policy) |
|||
Line 8: | Line 8: | ||
This project has nothing to do with password complexity or ageing. |
This project has nothing to do with password complexity or ageing. |
||
− | |||
− | It is important that deploying this in a mixed environment of 1.8 and pre-1.8 KDCs does not create any security exposures. |
||
==Design== |
==Design== |
||
Line 17: | Line 15: | ||
There are three attributes which will be associated with a Kerberos policy: |
There are three attributes which will be associated with a Kerberos policy: |
||
− | * |
+ | * pw_max_fail (number of attempts) |
− | * |
+ | * pw_failcnt_interval (period after which bad preauthentication count will be reset) |
− | * |
+ | * pw_lockout_duration (period in which lockout is enforced; a duration of zero means that the principal must be manually unlocked) |
− | TBD: is it possible to extend osa_policy_ent_rec with these variables (given the structure is versioned). |
||
⚫ | |||
⚫ | |||
⚫ | |||
+ | * last_failed (time of last preauthentication failure) |
||
⚫ | |||
⚫ | |||
⚫ | |||
+ | These are non-replicated attributes. The lockout time is stored in TL data; all other attributes reuse existing fields in the principal entry. |
||
⚫ | |||
− | * time the principal was locked out |
||
− | |||
− | These will be encoded in TL data for backwards compatibility with existing KDCs. |
||
− | |||
− | TBD: We might also set DISALLOW_ALL_TIX for backwards compatibility, although we will need to note whether this was already set so we can restore it (which has a race condition). Ultimately this will be difficult to do properly unless all KDCs are 1.8, so we will have to find the best compromise. I would prefer to distinguish between a principal with DISALLOW_ALL_TIX set and a locked out principal, because they are different things (and the latter can be computed purely from reading the time the principal was locked out). |
||
− | |||
− | TBD: in Active Directory, the preauthentication failure time and count are non-replicated attributes (for performance; only the fact an principal is locked out is replicated). Can we do this with the existing KDB replication architecture? How can we replication account lockout status without a multi-master replication architecture? Will we need replication protocol extensions? |
||
====Mapping to LDAP password policy draft==== |
====Mapping to LDAP password policy draft==== |
||
− | * |
+ | * pw_max_fail - pwdMaxFailure |
− | * |
+ | * pw_failcnt_interval - pwdFailureCountInterval |
− | * |
+ | * pw_lockout_duration duration - pwdLockoutDuration |
− | * |
+ | * last_failed - pwdFailureTime |
− | * number of preauthentication failures (within observation window) - n(pwdFailureTime) |
+ | * fail_auth_count - number of preauthentication failures (within observation window) - n(pwdFailureTime) |
− | * |
+ | * KRB5_TL_LOCKED_TIME - pwdAccountLockedTime |
===Before authentication=== |
===Before authentication=== |
||
Line 50: | Line 43: | ||
<pre> |
<pre> |
||
− | if ( lockout time + lockout duration < now ) |
||
+ | if (locked_time != 0 && |
||
− | principal is locked, return KDC_ERR_CLIENT_REVOKED or similar |
||
+ | stamp < locked_time + lockout_duration) |
||
+ | return kdc_err_client_revoked |
||
</pre> |
</pre> |
||
===After authentication=== |
===After authentication=== |
||
− | |||
⚫ | |||
− | |||
− | If last preauthentication failure was outside observation window, reset preauthentication failure count. |
||
− | |||
− | Then, set preauthentication failure time and count, and lock account out if necessary. |
||
− | |||
− | <pre> |
||
− | if ( preauthentication failure time + lockout observation window > now ) |
||
− | preauthentication failure count ::= 0 |
||
− | |||
− | preauthentication failure time ::= now |
||
− | preauthentication failure count ::= preauthentication failure count + 1 |
||
− | |||
− | if ( lockout threshold != 0 && preauthentication failure count >= lockout threshold ) |
||
− | { |
||
− | lockout time ::= now /* account is now locked */ |
||
− | attributes ::= attributes | DISALLOW_ALL_TIX |
||
− | } |
||
− | </pre> |
||
− | |||
− | ====After preauthentication success==== |
||
− | |||
− | <pre> |
||
− | preauthentication failure count ::= 0 |
||
− | /* note that AD does not reset preauthentication failure time here */ |
||
− | |||
− | if ( lockout duration != 0 && lockout time + lockout duration > now ) |
||
⚫ | |||
− | </pre> |
||
==Implementation details== |
==Implementation details== |
||
− | |||
− | Plan to implement with the DB backend first, then LDAP. Code will be shared where possible, but the bulk of code will be within the backend, as I don't wish to enforce this lockout model on other backend implementers (such as Novell). |
||
==Tools== |
==Tools== |
||
Line 95: | Line 57: | ||
==Status== |
==Status== |
||
− | |||
− | No code written yet. |
Revision as of 16:42, 13 September 2009
Contents
Background
This project aims to provide principal lockout functionality similar to that of Active Directory. After a certain number of preauthentication failures (the theshold) with a given time limit (the observation window), a principal will be locked out from authenticating for a certain period of time (the lockout duration).
This project has nothing to do with password complexity or ageing.
Design
Lockout policy
There are three attributes which will be associated with a Kerberos policy:
- pw_max_fail (number of attempts)
- pw_failcnt_interval (period after which bad preauthentication count will be reset)
- pw_lockout_duration (period in which lockout is enforced; a duration of zero means that the principal must be manually unlocked)
There are four attributes which will be associated with each principal:
- last_success (time of last preauthentication success)
- last_failed (time of last preauthentication failure)
- fail_auth_count (number of preauthentication failures)
- lockout time
These are non-replicated attributes. The lockout time is stored in TL data; all other attributes reuse existing fields in the principal entry.
Mapping to LDAP password policy draft
- pw_max_fail - pwdMaxFailure
- pw_failcnt_interval - pwdFailureCountInterval
- pw_lockout_duration duration - pwdLockoutDuration
- last_failed - pwdFailureTime
- fail_auth_count - number of preauthentication failures (within observation window) - n(pwdFailureTime)
- KRB5_TL_LOCKED_TIME - pwdAccountLockedTime
Before authentication
Check whether account is already locked out:
if (locked_time != 0 && stamp < locked_time + lockout_duration) return kdc_err_client_revoked
After authentication
Implementation details
Tools
kadmin will be enhanced to manually unlock a principal.