Projects/Lockout
Contents
Background
This project aims to provide principal lockout functionality similar to that of Active Directory. After a certain number of preauthentication failures (the theshold) with a given time limit (the observation window), a principal will be locked out from authenticating for a certain period of time (the lockout duration).
This project has nothing to do with password complexity or ageing.
Design
Lockout policy
There are three attributes which will be associated with a Kerberos policy:
- pw_max_fail (number of attempts)
- pw_failcnt_interval (period after which bad preauthentication count will be reset)
- pw_lockout_duration (period in which lockout is enforced; a duration of zero means that the principal must be manually unlocked)
There are four attributes which will be associated with each principal:
- last_success (time of last preauthentication success)
- last_failed (time of last preauthentication failure)
- fail_auth_count (number of preauthentication failures)
- lockout time
These are non-replicated attributes. The lockout time is stored in TL data; all other attributes reuse existing fields in the principal entry.
Mapping to LDAP password policy draft
- pw_max_fail - pwdMaxFailure
- pw_failcnt_interval - pwdFailureCountInterval
- pw_lockout_duration duration - pwdLockoutDuration
- last_failed - pwdFailureTime
- fail_auth_count - number of preauthentication failures (within observation window) - n(pwdFailureTime)
- KRB5_TL_LOCKED_TIME - pwdAccountLockedTime
Before authentication
Check whether account is already locked out:
if (locked_time != 0 && stamp < locked_time + lockout_duration) return kdc_err_client_revoked
After authentication
Implementation details
Tools
kadmin will be enhanced to manually unlock a principal.