[CentOS] Kerberos failed password not working

Reid O hpc_reid at hotmail.com
Wed Mar 21 16:50:39 EDT 2012


Hello,
  I have recently set up a system to test the relatively new ability of Kerberos to track failed password attempts and lock out users for a given period of time if they exceed a threshold.  My system is Centos 6.2 running the krb5-server-1.9-22.el6_2.1.x86_64 RPM.  I have created a testuser in the Kerberos domain, and applied the policy as shown below.  If I then attempt to log on to the server via SSH or to get a ticket via kinit and purposefully munge my password multiple times, it does not lock me out.  Nor does getprinc reflect the failed attempts.  I can't find much documentation on this feature, there doesn't seem to be any configuration options in kdc.conf or elsewhere other than in the User Policy.  Even there, the kadmin man page is out of date and doesn't include the password lockout duration flags to add_policy and the like.  Any pointers?


[root at hpctest-krb2 ~]# kadmin.local -q 'add_policy -maxlife "101 days" -minlength 8 -minclasses 2 -history 2 -maxfailure 3 -failurecountinterval "5min" -lockoutduration "5min" NewUser '
...
[root at hpctest-krb2 ~]# kadmin.local -q "getpol NewUser"
Authenticating as principal root/admin at TESTKDC with password.
Policy: NewUser
Maximum password life: 8726400
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 2
Number of old keys kept: 2
Reference count: 1
Maximum password failures before lockout: 3
Password failure count reset interval: 5
Password lockout duration: 5
[root at hpctest-krb2 ~]#
[root at hpctest-krb2 ~]# kadmin.local -q "getprinc testuser"
Authenticating as principal root/admin at TESTKDC with password.
Principal: testuser at TESTKDC
Expiration date: [never]
Last password change: Fri Mar 16 14:29:33 EDT 2012
Password expiration date: Mon Jun 25 14:29:33 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 0 days 20:00:00
Last modified: Fri Mar 16 14:29:33 EDT 2012 (root/admin at TESTKDC)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 1
Attributes:
Policy: NewUser
[root at hpctest-krb2 ~]# kinit testuser
Password for testuser at TESTKDC:
kinit: Password incorrect while getting initial credentials
[root at hpctest-krb2 ~]# kadmin.local -q "getprinc testuser"
Authenticating as principal root/admin at TESTKDC with password.
Principal: testuser at TESTKDC
Expiration date: [never]
Last password change: Fri Mar 16 14:29:33 EDT 2012
Password expiration date: Mon Jun 25 14:29:33 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 0 days 20:00:00
Last modified: Fri Mar 16 14:29:33 EDT 2012 (root/admin at TESTKDC)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 1
Attributes:
Policy: NewUser

 		 	   		  


More information about the CentOS mailing list