diff options
author | Greg Hudson <ghudson@mit.edu> | 2009-10-25 16:55:12 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2009-10-25 16:55:12 +0000 |
commit | 8d31a9d396f5bea88def4db395ad12dca2ac2e9f (patch) | |
tree | 244f8f5b525432a2a2a280403f38d7b2fbdc0dfd /src/lib/kadm5/srv | |
parent | b82e46df9b6cbf663512985a99c6d79f2b0cb796 (diff) | |
download | krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.zip krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.tar.gz krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.tar.bz2 |
Account lockout
Merge Luke's users/lhoward/lockout2 branch to trunk. Implements
account lockout policies for preauth-using principals using existing
principal metadata fields and new policy fields. The kadmin API
version is bumped from 2 to 3 to compatibly extend the policy_ent_rec
structure.
ticket: 6577
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23038 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/kadm5/srv')
-rw-r--r-- | src/lib/kadm5/srv/server_init.c | 2 | ||||
-rw-r--r-- | src/lib/kadm5/srv/server_kdb.c | 3 | ||||
-rw-r--r-- | src/lib/kadm5/srv/svr_policy.c | 33 | ||||
-rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 37 |
4 files changed, 69 insertions, 6 deletions
diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c index 47bc22c..d5426f8 100644 --- a/src/lib/kadm5/srv/server_init.c +++ b/src/lib/kadm5/srv/server_init.c @@ -273,7 +273,7 @@ kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass, return ENOMEM; } *handle->lhandle = *handle; - handle->lhandle->api_version = KADM5_API_VERSION_2; + handle->lhandle->api_version = KADM5_API_VERSION_3; handle->lhandle->struct_version = KADM5_STRUCT_VERSION; handle->lhandle->lhandle = handle->lhandle; diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index 47f00c0..fe2020d 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -395,6 +395,9 @@ kdb_put_entry(kadm5_server_handle_t handle, one = 1; + /* we are always updating TL data */ + kdb->mask |= KADM5_TL_DATA; + ret = krb5_db_put_principal(handle->context, kdb, &one); if (ret) return(ret); diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c index 5b7828c..0d8c5ce 100644 --- a/src/lib/kadm5/srv/svr_policy.c +++ b/src/lib/kadm5/srv/svr_policy.c @@ -140,6 +140,26 @@ kadm5_create_policy_internal(void *server_handle, pent.policy_refcnt = 0; else pent.policy_refcnt = entry->policy_refcnt; + + if (handle->api_version == KADM5_API_VERSION_3) { + if (!(mask & KADM5_PW_MAX_FAILURE)) + pent.pw_max_fail = 0; + else + pent.pw_max_fail = entry->pw_max_fail; + if (!(mask & KADM5_PW_FAILURE_COUNT_INTERVAL)) + pent.pw_failcnt_interval = 0; + else + pent.pw_failcnt_interval = entry->pw_failcnt_interval; + if (!(mask & KADM5_PW_LOCKOUT_DURATION)) + pent.pw_lockout_duration = 0; + else + pent.pw_lockout_duration = entry->pw_lockout_duration; + } else { + pent.pw_max_fail = 0; + pent.pw_failcnt_interval = 0; + pent.pw_lockout_duration = 0; + } + if ((ret = krb5_db_create_policy(handle->context, &pent))) return ret; else @@ -248,6 +268,14 @@ kadm5_modify_policy_internal(void *server_handle, } if ((mask & KADM5_REF_COUNT)) p->policy_refcnt = entry->policy_refcnt; + if (handle->api_version == KADM5_API_VERSION_3) { + if ((mask & KADM5_PW_MAX_FAILURE)) + p->pw_max_fail = entry->pw_max_fail; + if ((mask & KADM5_PW_FAILURE_COUNT_INTERVAL)) + p->pw_failcnt_interval = entry->pw_failcnt_interval; + if ((mask & KADM5_PW_LOCKOUT_DURATION)) + p->pw_lockout_duration = entry->pw_lockout_duration; + } ret = krb5_db_put_policy(handle->context, p); krb5_db_free_policy(handle->context, p); return ret; @@ -286,6 +314,11 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name, entry->pw_min_classes = t->pw_min_classes; entry->pw_history_num = t->pw_history_num; entry->policy_refcnt = t->policy_refcnt; + if (handle->api_version == KADM5_API_VERSION_3) { + entry->pw_max_fail = t->pw_max_fail; + entry->pw_failcnt_interval = t->pw_failcnt_interval; + entry->pw_lockout_duration = t->pw_lockout_duration; + } krb5_db_free_policy(handle->context, t); return KADM5_OK; diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 1a60f52..7ba89ec 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -650,8 +650,6 @@ kadm5_modify_principal(void *server_handle, kdb.pw_expiration = entry->pw_expiration; if (mask & KADM5_MAX_RLIFE) kdb.max_renewable_life = entry->max_renewable_life; - if (mask & KADM5_FAIL_AUTH_COUNT) - kdb.fail_auth_count = entry->fail_auth_count; if((mask & KADM5_KVNO)) { for (i = 0; i < kdb.n_key_data; i++) @@ -674,6 +672,20 @@ kadm5_modify_principal(void *server_handle, } } + /* + * Setting entry->fail_auth_count to 0 can be used to manually unlock + * an account. It is not possible to set fail_auth_count to any other + * value using kadmin. + */ + if (mask & KADM5_FAIL_AUTH_COUNT) { + if (entry->fail_auth_count != 0) { + ret = KADM5_BAD_SERVER_PARAMS; + goto done; + } + + kdb.fail_auth_count = 0; + } + /* let the mask propagate to the database provider */ kdb.mask = mask; @@ -1443,8 +1455,13 @@ kadm5_chpass_principal_3(void *server_handle, if (ret) goto done; + /* unlock principal on this KDC */ + kdb.fail_auth_count = 0; + /* key data and attributes changed, let the database provider know */ - kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */; + kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | + KADM5_FAIL_AUTH_COUNT; + /* | KADM5_CPW_FUNCTION */ if ((ret = kdb_put_entry(handle, &kdb, &adb))) goto done; @@ -1576,7 +1593,10 @@ kadm5_randkey_principal_3(void *server_handle, if (ret) goto done; - if (keyblocks) { + /* unlock principal on this KDC */ + kdb.fail_auth_count = 0; + + if (keyblocks) { ret = decrypt_key_data(handle->context, act_mkey, kdb.n_key_data, kdb.key_data, keyblocks, n_keys); @@ -1585,7 +1605,8 @@ kadm5_randkey_principal_3(void *server_handle, } /* key data changed, let the database provider know */ - kdb.mask = KADM5_KEY_DATA /* | KADM5_RANDKEY_USED */; + kdb.mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT; + /* | KADM5_RANDKEY_USED */; if ((ret = kdb_put_entry(handle, &kdb, &adb))) goto done; @@ -1753,6 +1774,9 @@ kadm5_setv4key_principal(void *server_handle, if (ret) goto done; + /* unlock principal on this KDC */ + kdb.fail_auth_count = 0; + if ((ret = kdb_put_entry(handle, &kdb, &adb))) goto done; @@ -1990,6 +2014,9 @@ kadm5_setkey_principal_3(void *server_handle, if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) goto done; + /* unlock principal on this KDC */ + kdb.fail_auth_count = 0; + if ((ret = kdb_put_entry(handle, &kdb, &adb))) goto done; |