A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
pass the lockout check (but didn't cause a reset of the failure count
in krb5_ldap_lockout_audit). It should be treated as forever, as in
the DB2 back end.
This bug is the previously unknown cause of the assertion failure
fixed in CVE-2011-1528.
ticket: 7021
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25480
dc483132-0cff-0310-8789-
dd5450dbe970
sets the allowable time between authentication failures. If an
authentication failure happens after \fIfailuretime\fP has elapsed
since the previous failure, the number of authentication failures is
-reset to 1.
+reset to 1. A failure count interval of 0 means forever.
.TP
\fB\-lockoutduration\fP \fIlockouttime\fP
sets the duration for which the principal is locked from
authenticating if too many authentication failures occur without the
-specified failure count interval elapsing.
+specified failure count interval elapsing. A duration of 0 means
+forever.
.sp
.nf
.TP
code = lookup_lockout_policy(context, entry, &max_fail,
&failcnt_interval,
&lockout_duration);
- if (code != 0 || failcnt_interval == 0)
+ if (code != 0)
return code;
if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))