From: Tom Yu Date: Mon, 5 Dec 2011 20:53:52 +0000 (+0000) Subject: pull up r25480 from trunk X-Git-Tag: krb5-1.10-alpha2~16 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=741ead4255452a105cbac12382be58ad3a2b670a;p=krb5.git pull up r25480 from trunk ------------------------------------------------------------------------ r25480 | ghudson | 2011-11-20 00:19:45 -0500 (Sun, 20 Nov 2011) | 13 lines ticket: 7021 subject: Fix failure interval of 0 in LDAP lockout code target_version: 1.10 tags: pullup A failure count interval of 0 caused krb5_ldap_lockout_check_policy to pass the lockout check (but didn't cause a reset of the failure count in krb5_ldap_lockout_audit). It should be treated as forever, as in the DB2 back end. This bug is the previously unknown cause of the assertion failure fixed in CVE-2011-1528. ticket: 7021 version_fixed: 1.10 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25512 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M index 9599bbf89..b05007a53 100644 --- a/src/kadmin/cli/kadmin.M +++ b/src/kadmin/cli/kadmin.M @@ -726,12 +726,13 @@ principals which require preauthentication. sets the allowable time between authentication failures. If an authentication failure happens after \fIfailuretime\fP has elapsed since the previous failure, the number of authentication failures is -reset to 1. +reset to 1. A failure count interval of 0 means forever. .TP \fB\-lockoutduration\fP \fIlockouttime\fP sets the duration for which the principal is locked from authenticating if too many authentication failures occur without the -specified failure count interval elapsing. +specified failure count interval elapsing. A duration of 0 means +forever. .sp .nf .TP diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c index 36505f832..83d79e098 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c @@ -127,7 +127,7 @@ krb5_ldap_lockout_check_policy(krb5_context context, code = lookup_lockout_policy(context, entry, &max_fail, &failcnt_interval, &lockout_duration); - if (code != 0 || failcnt_interval == 0) + if (code != 0) return code; if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))