From: Greg Hudson Date: Mon, 16 May 2011 04:20:55 +0000 (+0000) Subject: Document the lockout-related options in kadmin (modprinc -unlock and X-Git-Tag: krb5-1.10-alpha1~423 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=65dd006f5838333bbd17c4957fa2f654a08a29ba;p=krb5.git Document the lockout-related options in kadmin (modprinc -unlock and addpol/modpol -maxfailure, -failurecountinterval, and -lockoutduration), in the man page and in admin.texinfo. Based on text submitted by shawn.emery@oracle.com. ticket: 6910 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24932 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 427f64eca..2dcbb7280 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -2434,6 +2434,11 @@ of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons earlier than krb5-1.2. See @ref{Supported Encryption Types} and @ref{Salts} for available types. + +@item -unlock +Unlocks a locked principal (one which has received too many failed +authentication attempts without enough time between them according to +its password policy) so that it can successfully authenticate. @end table If you want to just use the default values, all you need to do is: @@ -2778,6 +2783,22 @@ Requires at least @i{number} of character classes in a password. @item -history @i{number} Sets the number of past keys kept for a principal to @i{number}. This option is not supported for LDAP database. + +@item -maxfailure @i{maxnumber} +Sets the maximum number of authentication failures before the principal +is locked. Authentication failures are only tracked for principals +which require preauthentication. + +@item -failurecountinterval @i{failuretime} +Sets the allowable time between authentication failures. If an +authentication failure happens after @i{failuretime} has elapsed since +the previous failure, the number of authentication failures is reset to +1. + +@item -lockoutduration @i{lockouttime} +Sets the duration for which the principal is locked from authenticating +if too many authentication failures occur without the specified failure +count interval elapsing. @end table @c **** An example here would be nice. **** diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M index 7e6db2c61..f847c8235 100644 --- a/src/kadmin/cli/kadmin.M +++ b/src/kadmin/cli/kadmin.M @@ -526,6 +526,11 @@ Associates a Kerberos principal with a LDAP object. This option is honored only if the Kerberos principal is not already associated with a LDAP object. .RE .TP +.B \-unlock +Unlocks a locked principal (one which has received too many failed +authentication attempts without enough time between them according to +its password policy) so that it can successfully authenticate. +.TP ERRORS: KADM5_AUTH_MODIFY (requires "modify" privilege) KADM5_UNK_PRINC (principal does not exist) @@ -689,6 +694,22 @@ sets the minimum number of character classes allowed in a password .TP \fB\-history\fP \fInumber\fP sets the number of past keys kept for a principal. This option is not supported for LDAP database +.TP +\fB\-maxfailure\fP \fImaxnumber\fP +sets the maximum number of authentication failures before the +principal is locked. Authentication failures are only tracked for +principals which require preauthentication. +.TP +\fB\-failurecountinterval\fP \fIfailuretime\fP +sets the allowable time between authentication failures. If an +authentication failure happens after \fIfailuretime\fP has elapsed +since the previous failure, the number of authentication failures is +reset to 1. +.TP +\fB\-lockoutduration\fP \fIlockouttime\fP +sets the duration for which the principal is locked from +authenticating if too many authentication failures occur without the +specified failure count interval elapsing. .sp .nf .TP