[CentOS] Kerberos failed password not working
Reid O
hpc_reid at hotmail.comWed Mar 21 20:50:39 UTC 2012
- Previous message: [CentOS] nfslock
- Next message: [CentOS] Constant disk activity
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello, I have recently set up a system to test the relatively new ability of Kerberos to track failed password attempts and lock out users for a given period of time if they exceed a threshold. My system is Centos 6.2 running the krb5-server-1.9-22.el6_2.1.x86_64 RPM. I have created a testuser in the Kerberos domain, and applied the policy as shown below. If I then attempt to log on to the server via SSH or to get a ticket via kinit and purposefully munge my password multiple times, it does not lock me out. Nor does getprinc reflect the failed attempts. I can't find much documentation on this feature, there doesn't seem to be any configuration options in kdc.conf or elsewhere other than in the User Policy. Even there, the kadmin man page is out of date and doesn't include the password lockout duration flags to add_policy and the like. Any pointers? [root at hpctest-krb2 ~]# kadmin.local -q 'add_policy -maxlife "101 days" -minlength 8 -minclasses 2 -history 2 -maxfailure 3 -failurecountinterval "5min" -lockoutduration "5min" NewUser ' ... [root at hpctest-krb2 ~]# kadmin.local -q "getpol NewUser" Authenticating as principal root/admin at TESTKDC with password. Policy: NewUser Maximum password life: 8726400 Minimum password life: 0 Minimum password length: 8 Minimum number of password character classes: 2 Number of old keys kept: 2 Reference count: 1 Maximum password failures before lockout: 3 Password failure count reset interval: 5 Password lockout duration: 5 [root at hpctest-krb2 ~]# [root at hpctest-krb2 ~]# kadmin.local -q "getprinc testuser" Authenticating as principal root/admin at TESTKDC with password. Principal: testuser at TESTKDC Expiration date: [never] Last password change: Fri Mar 16 14:29:33 EDT 2012 Password expiration date: Mon Jun 25 14:29:33 EDT 2012 Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 0 days 20:00:00 Last modified: Fri Mar 16 14:29:33 EDT 2012 (root/admin at TESTKDC) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 1, aes256-cts-hmac-sha1-96, no salt Key: vno 1, aes128-cts-hmac-sha1-96, no salt Key: vno 1, des3-cbc-sha1, no salt Key: vno 1, arcfour-hmac, no salt Key: vno 1, des-hmac-sha1, no salt Key: vno 1, des-cbc-md5, no salt MKey: vno 1 Attributes: Policy: NewUser [root at hpctest-krb2 ~]# kinit testuser Password for testuser at TESTKDC: kinit: Password incorrect while getting initial credentials [root at hpctest-krb2 ~]# kadmin.local -q "getprinc testuser" Authenticating as principal root/admin at TESTKDC with password. Principal: testuser at TESTKDC Expiration date: [never] Last password change: Fri Mar 16 14:29:33 EDT 2012 Password expiration date: Mon Jun 25 14:29:33 EDT 2012 Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 0 days 20:00:00 Last modified: Fri Mar 16 14:29:33 EDT 2012 (root/admin at TESTKDC) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 1, aes256-cts-hmac-sha1-96, no salt Key: vno 1, aes128-cts-hmac-sha1-96, no salt Key: vno 1, des3-cbc-sha1, no salt Key: vno 1, arcfour-hmac, no salt Key: vno 1, des-hmac-sha1, no salt Key: vno 1, des-cbc-md5, no salt MKey: vno 1 Attributes: Policy: NewUser
- Previous message: [CentOS] nfslock
- Next message: [CentOS] Constant disk activity
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list