From 4a84d4137426d0951d5565adef30efebab719d23 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 20 Nov 2011 05:19:45 +0000
Subject: Fix failure interval of 0 in LDAP lockout code

A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
pass the lockout check (but didn't cause a reset of the failure count
in krb5_ldap_lockout_audit).  It should be treated as forever, as in
the DB2 back end.

This bug is the previously unknown cause of the assertion failure
fixed in CVE-2011-1528.

ticket: 7021
target_version: 1.10
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25480 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/kadmin/cli/kadmin.M | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/kadmin')

diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M
index 9599bbf89e..b05007a53c 100644
--- a/src/kadmin/cli/kadmin.M
+++ b/src/kadmin/cli/kadmin.M
@@ -726,12 +726,13 @@ principals which require preauthentication.
 sets the allowable time between authentication failures.  If an
 authentication failure happens after \fIfailuretime\fP has elapsed
 since the previous failure, the number of authentication failures is
-reset to 1.
+reset to 1.  A failure count interval of 0 means forever.
 .TP
 \fB\-lockoutduration\fP \fIlockouttime\fP
 sets the duration for which the principal is locked from
 authenticating if too many authentication failures occur without the
-specified failure count interval elapsing.
+specified failure count interval elapsing.  A duration of 0 means
+forever.
 .sp
 .nf
 .TP
-- 
cgit