logo_kerberos.gif

Projects/Lockout

From K5Wiki
< Projects
Revision as of 15:35, 20 August 2009 by Lukeh (talk | contribs) (After preauthentication success)

Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.



Background

This project aims to provide principal lockout functionality similar to that of Active Directory. After a certain number of preauthentication failures (the theshold) with a given time limit (the observation window), a principal will be locked out from authenticating for a certain period of time (the lockout duration).

This project has nothing to do with password complexity or ageing.

It is important that deploying this in a mixed environment of 1.8 and pre-1.8 KDCs does not create any security exposures.

Design

Lockout policy

There are three attributes which will be associated with a Kerberos policy:

  • lockout threshold (number of attempts)
  • lockout observation window (period after which bad preauthentication count will be reset)
  • lockout duration (period in which lockout is enforced; a duration of zero means that the principal must be manually unlocked)

TBD: is it possible to extend osa_policy_ent_rec with these variables (given the structure is versioned).

There are three attributes which will be associated with each principal:

  • time of last preauthentication failure
  • number of preauthentication failures (within observation window)
  • time the principal was locked out

These will be encoded in TL data for backwards compatibility with existing KDCs.

TBD: We might also set DISALLOW_ALL_TIX for backwards compatibility, although we will need to note whether this was already set so we can restore it (which has a race condition). Ultimately this will be difficult to do properly unless all KDCs are 1.8, so we will have to find the best compromise. I would prefer to distinguish between a principal with DISALLOW_ALL_TIX set and a locked out principal, because they are different things (and the latter can be computed purely from reading the time the principal was locked out).

TBD: in Active Directory, the preauthentication failure time and count are non-replicated attributes (for performance; only the fact an principal is locked out is replicated). Can we do this with the existing KDB replication architecture? How can we replication account lockout status without a multi-master replication architecture? Will we need replication protocol extensions?

Before authentication

Check whether account is already locked out:

if ( lockout time + lockout duration < now )
    principal is locked, return KDC_ERR_CLIENT_REVOKED or similar

After authentication

Check whether lockout observation window has closed; if so, reset preauthentication failure count.

if ( lockout observation window != 0 && bad preauthentication time + lockout observation window > now )
{
    preauthentication failure count ::= 0
}

After preauthentication failure

Record authentication failure and possibly lock account out:

preauthentication failure time ::= now
preauthentication failure count ::= preauthentication failure count + 1

if ( lockout threshold != 0 && preauthentication failure count >= lockout threshold )
{
    lockout time ::= now /* account is now locked */
    attributes ::= attributes | DISALLOW_ALL_TIX
}

After preauthentication success

if ( lockout duration != 0 && lockout time != 0 )
    lockout time ::= 0

Implementation details

Plan to implement with the DB backend first, then LDAP. Code will be shared where possible, but the bulk of code will be within the backend, as I don't wish to enforce this lockout model on other backend implementers (such as Novell).

Tools

kadmin will be enhanced to manually unlock a principal.

Status

No code written yet.