From 65dd006f5838333bbd17c4957fa2f654a08a29ba Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 16 May 2011 04:20:55 +0000 Subject: Document the lockout-related options in kadmin (modprinc -unlock and addpol/modpol -maxfailure, -failurecountinterval, and -lockoutduration), in the man page and in admin.texinfo. Based on text submitted by shawn.emery@oracle.com. ticket: 6910 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24932 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/cli/kadmin.M | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'src') diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M index 7e6db2c61b..f847c8235d 100644 --- a/src/kadmin/cli/kadmin.M +++ b/src/kadmin/cli/kadmin.M @@ -526,6 +526,11 @@ Associates a Kerberos principal with a LDAP object. This option is honored only if the Kerberos principal is not already associated with a LDAP object. .RE .TP +.B \-unlock +Unlocks a locked principal (one which has received too many failed +authentication attempts without enough time between them according to +its password policy) so that it can successfully authenticate. +.TP ERRORS: KADM5_AUTH_MODIFY (requires "modify" privilege) KADM5_UNK_PRINC (principal does not exist) @@ -689,6 +694,22 @@ sets the minimum number of character classes allowed in a password .TP \fB\-history\fP \fInumber\fP sets the number of past keys kept for a principal. This option is not supported for LDAP database +.TP +\fB\-maxfailure\fP \fImaxnumber\fP +sets the maximum number of authentication failures before the +principal is locked. Authentication failures are only tracked for +principals which require preauthentication. +.TP +\fB\-failurecountinterval\fP \fIfailuretime\fP +sets the allowable time between authentication failures. If an +authentication failure happens after \fIfailuretime\fP has elapsed +since the previous failure, the number of authentication failures is +reset to 1. +.TP +\fB\-lockoutduration\fP \fIlockouttime\fP +sets the duration for which the principal is locked from +authenticating if too many authentication failures occur without the +specified failure count interval elapsing. .sp .nf .TP -- cgit