1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
|
<!DOCTYPE html>
<html lang="en" data-content_root="../">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Account lockout — MIT Kerberos Documentation</title>
<link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" />
<link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" />
<link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" />
<script src="../_static/documentation_options.js?v=6dbce55c"></script>
<script src="../_static/doctools.js?v=888ff710"></script>
<script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
<link rel="author" title="About these documents" href="../about.html" />
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="copyright" title="Copyright" href="../copyright.html" />
<link rel="next" title="Configuring Kerberos with OpenLDAP back-end" href="conf_ldap.html" />
<link rel="prev" title="Database types" href="dbtypes.html" />
</head><body>
<div class="header-wrapper">
<div class="header">
<h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
<div class="rel">
<a href="../index.html" title="Full Table of Contents"
accesskey="C">Contents</a> |
<a href="dbtypes.html" title="Database types"
accesskey="P">previous</a> |
<a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end"
accesskey="N">next</a> |
<a href="../genindex.html" title="General Index"
accesskey="I">index</a> |
<a href="../search.html" title="Enter search criteria"
accesskey="S">Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Account lockout">feedback</a>
</div>
</div>
</div>
<div class="content-wrapper">
<div class="content">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<section id="account-lockout">
<span id="lockout"></span><h1>Account lockout<a class="headerlink" href="#account-lockout" title="Link to this heading">¶</a></h1>
<p>As of release 1.8, the KDC can be configured to lock out principals
after a number of failed authentication attempts within a period of
time. Account lockout can make it more difficult to attack a
principal’s password by brute force, but also makes it easy for an
attacker to deny access to a principal.</p>
<section id="configuring-account-lockout">
<h2>Configuring account lockout<a class="headerlink" href="#configuring-account-lockout" title="Link to this heading">¶</a></h2>
<p>Account lockout only works for principals with the
<strong>+requires_preauth</strong> flag set. Without this flag, the KDC cannot
know whether or not a client successfully decrypted the ticket it
issued. It is also important to set the <strong>-allow_svr</strong> flag on a
principal to protect its password from an off-line dictionary attack
through a TGS request. You can set these flags on a principal with
<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> as follows:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">PRINCNAME</span>
</pre></div>
</div>
<p>Account lockout parameters are configured via <a class="reference internal" href="database.html#policies"><span class="std std-ref">policy objects</span></a>. There may be an existing policy associated with user
principals (such as the “default” policy), or you may need to create a
new one and associate it with each user principal.</p>
<p>The policy parameters related to account lockout are:</p>
<ul class="simple">
<li><p><a class="reference internal" href="admin_commands/kadmin_local.html#policy-maxfailure"><span class="std std-ref">maxfailure</span></a>: the number of failed attempts
before the principal is locked out</p></li>
<li><p><a class="reference internal" href="admin_commands/kadmin_local.html#policy-failurecountinterval"><span class="std std-ref">failurecountinterval</span></a>: the
allowable interval between failed attempts</p></li>
<li><p><a class="reference internal" href="admin_commands/kadmin_local.html#policy-lockoutduration"><span class="std std-ref">lockoutduration</span></a>: the amount of time
a principal is locked out for</p></li>
</ul>
<p>Here is an example of setting these parameters on a new policy and
associating it with a principal:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addpol</span> <span class="o">-</span><span class="n">maxfailure</span> <span class="mi">10</span> <span class="o">-</span><span class="n">failurecountinterval</span> <span class="mi">180</span>
<span class="o">-</span><span class="n">lockoutduration</span> <span class="mi">60</span> <span class="n">lockout_policy</span>
<span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">policy</span> <span class="n">lockout_policy</span> <span class="n">PRINCNAME</span>
</pre></div>
</div>
</section>
<section id="testing-account-lockout">
<h2>Testing account lockout<a class="headerlink" href="#testing-account-lockout" title="Link to this heading">¶</a></h2>
<p>To test that account lockout is working, try authenticating as the
principal (hopefully not one that might be in use) multiple times with
the wrong password. For instance, if <strong>maxfailure</strong> is set to 2, you
might see:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kinit user
Password for user@KRBTEST.COM:
kinit: Password incorrect while getting initial credentials
$ kinit user
Password for user@KRBTEST.COM:
kinit: Password incorrect while getting initial credentials
$ kinit user
kinit: Client's credentials have been revoked while getting initial credentials
</pre></div>
</div>
</section>
<section id="account-lockout-principal-state">
<h2>Account lockout principal state<a class="headerlink" href="#account-lockout-principal-state" title="Link to this heading">¶</a></h2>
<p>A principal entry keeps three pieces of state related to account
lockout:</p>
<ul class="simple">
<li><p>The time of last successful authentication</p></li>
<li><p>The time of last failed authentication</p></li>
<li><p>A counter of failed attempts</p></li>
</ul>
<p>The time of last successful authentication is not actually needed for
the account lockout system to function, but may be of administrative
interest. These fields can be observed with the <strong>getprinc</strong> kadmin
command. For example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">getprinc</span> <span class="n">user</span>
<span class="n">Principal</span><span class="p">:</span> <span class="n">user</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span>
<span class="o">...</span>
<span class="n">Last</span> <span class="n">successful</span> <span class="n">authentication</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span>
<span class="n">Last</span> <span class="n">failed</span> <span class="n">authentication</span><span class="p">:</span> <span class="n">Mon</span> <span class="n">Dec</span> <span class="mi">03</span> <span class="mi">12</span><span class="p">:</span><span class="mi">30</span><span class="p">:</span><span class="mi">33</span> <span class="n">EST</span> <span class="mi">2012</span>
<span class="n">Failed</span> <span class="n">password</span> <span class="n">attempts</span><span class="p">:</span> <span class="mi">2</span>
<span class="o">...</span>
</pre></div>
</div>
<p>A principal which has been locked out can be administratively unlocked
with the <strong>-unlock</strong> option to the <strong>modprinc</strong> kadmin command:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">unlock</span> <span class="n">PRINCNAME</span>
</pre></div>
</div>
<p>This command will reset the number of failed attempts to 0.</p>
</section>
<section id="kdc-replication-and-account-lockout">
<h2>KDC replication and account lockout<a class="headerlink" href="#kdc-replication-and-account-lockout" title="Link to this heading">¶</a></h2>
<p>The account lockout state of a principal is not replicated by either
traditional <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> or incremental propagation. Because of
this, the number of attempts an attacker can make within a time period
is multiplied by the number of KDCs. For instance, if the
<strong>maxfailure</strong> parameter on a policy is 10 and there are four KDCs in
the environment (a primary and three replicas), an attacker could make
as many as 40 attempts before the principal is locked out on all four
KDCs.</p>
<p>An administrative unlock is propagated from the primary to the replica
KDCs during the next propagation. Propagation of an administrative
unlock will cause the counter of failed attempts on each replica to
reset to 1 on the next failure.</p>
<p>If a KDC environment uses a replication strategy other than kprop or
incremental propagation, such as the LDAP KDB module with multi-master
LDAP replication, then account lockout state may be replicated between
KDCs and the concerns of this section may not apply.</p>
</section>
<section id="kdc-performance-and-account-lockout">
<span id="disable-lockout"></span><h2>KDC performance and account lockout<a class="headerlink" href="#kdc-performance-and-account-lockout" title="Link to this heading">¶</a></h2>
<p>In order to fully track account lockout state, the KDC must write to
the the database on each successful and failed authentication.
Writing to the database is generally more expensive than reading from
it, so these writes may have a significant impact on KDC performance.
As of release 1.9, it is possible to turn off account lockout state
tracking in order to improve performance, by setting the
<strong>disable_last_success</strong> and <strong>disable_lockout</strong> variables in the
database module subsection of <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. For example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span>
<span class="n">DB</span> <span class="o">=</span> <span class="p">{</span>
<span class="n">disable_last_success</span> <span class="o">=</span> <span class="n">true</span>
<span class="n">disable_lockout</span> <span class="o">=</span> <span class="n">true</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Of the two variables, setting <strong>disable_last_success</strong> will usually
have the largest positive impact on performance, and will still allow
account lockout policies to operate. However, it will make it
impossible to observe the last successful authentication time with
kadmin.</p>
</section>
<section id="kdc-setup-and-account-lockout">
<h2>KDC setup and account lockout<a class="headerlink" href="#kdc-setup-and-account-lockout" title="Link to this heading">¶</a></h2>
<p>To update the account lockout state on principals, the KDC must be
able to write to the principal database. For the DB2 module, no
special setup is required. For the LDAP module, the KDC DN must be
granted write access to the principal objects. If the KDC DN has only
read access, account lockout will not function.</p>
</section>
</section>
<div class="clearer"></div>
</div>
</div>
</div>
</div>
<div class="sidebar">
<h2>On this page</h2>
<ul>
<li><a class="reference internal" href="#">Account lockout</a><ul>
<li><a class="reference internal" href="#configuring-account-lockout">Configuring account lockout</a></li>
<li><a class="reference internal" href="#testing-account-lockout">Testing account lockout</a></li>
<li><a class="reference internal" href="#account-lockout-principal-state">Account lockout principal state</a></li>
<li><a class="reference internal" href="#kdc-replication-and-account-lockout">KDC replication and account lockout</a></li>
<li><a class="reference internal" href="#kdc-performance-and-account-lockout">KDC performance and account lockout</a></li>
<li><a class="reference internal" href="#kdc-setup-and-account-lockout">KDC setup and account lockout</a></li>
</ul>
</li>
</ul>
<br/>
<h2>Table of contents</h2>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Account lockout</a></li>
<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li>
<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
</ul>
<br/>
<h4><a href="../index.html">Full Table of Contents</a></h4>
<h4>Search</h4>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<div class="clearer"></div>
</div>
</div>
<div class="footer-wrapper">
<div class="footer" >
<div class="right" ><i>Release: 1.22.1</i><br />
© <a href="../copyright.html">Copyright</a> 1985-2025, MIT.
</div>
<div class="left">
<a href="../index.html" title="Full Table of Contents"
>Contents</a> |
<a href="dbtypes.html" title="Database types"
>previous</a> |
<a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end"
>next</a> |
<a href="../genindex.html" title="General Index"
>index</a> |
<a href="../search.html" title="Enter search criteria"
>Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Account lockout">feedback</a>
</div>
</div>
</div>
</body>
</html>
|
