diff options
author | Greg Hudson <ghudson@mit.edu> | 2011-05-16 04:20:55 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2011-05-16 04:20:55 +0000 |
commit | 65dd006f5838333bbd17c4957fa2f654a08a29ba (patch) | |
tree | 66cf600824cb3711431ebd9f776f6445fa04ae31 /src/kadmin/cli/kadmin.M | |
parent | 9883d15e9ffb89a0c1e3a9d8d6afda86ccb8e5e2 (diff) | |
download | krb5-65dd006f5838333bbd17c4957fa2f654a08a29ba.tar.gz krb5-65dd006f5838333bbd17c4957fa2f654a08a29ba.tar.xz krb5-65dd006f5838333bbd17c4957fa2f654a08a29ba.zip |
Document the lockout-related options in kadmin (modprinc -unlock and
addpol/modpol -maxfailure, -failurecountinterval, and
-lockoutduration), in the man page and in admin.texinfo. Based on
text submitted by shawn.emery@oracle.com.
ticket: 6910
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24932 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kadmin/cli/kadmin.M')
-rw-r--r-- | src/kadmin/cli/kadmin.M | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M index 7e6db2c61b..f847c8235d 100644 --- a/src/kadmin/cli/kadmin.M +++ b/src/kadmin/cli/kadmin.M @@ -526,6 +526,11 @@ Associates a Kerberos principal with a LDAP object. This option is honored only if the Kerberos principal is not already associated with a LDAP object. .RE .TP +.B \-unlock +Unlocks a locked principal (one which has received too many failed +authentication attempts without enough time between them according to +its password policy) so that it can successfully authenticate. +.TP ERRORS: KADM5_AUTH_MODIFY (requires "modify" privilege) KADM5_UNK_PRINC (principal does not exist) @@ -689,6 +694,22 @@ sets the minimum number of character classes allowed in a password .TP \fB\-history\fP \fInumber\fP sets the number of past keys kept for a principal. This option is not supported for LDAP database +.TP +\fB\-maxfailure\fP \fImaxnumber\fP +sets the maximum number of authentication failures before the +principal is locked. Authentication failures are only tracked for +principals which require preauthentication. +.TP +\fB\-failurecountinterval\fP \fIfailuretime\fP +sets the allowable time between authentication failures. If an +authentication failure happens after \fIfailuretime\fP has elapsed +since the previous failure, the number of authentication failures is +reset to 1. +.TP +\fB\-lockoutduration\fP \fIlockouttime\fP +sets the duration for which the principal is locked from +authenticating if too many authentication failures occur without the +specified failure count interval elapsing. .sp .nf .TP |