From 560f2ce8bd0525189e45ff7d8f8d4df11f9c20ff Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 17 May 2012 13:17:21 -0400 Subject: Check for locked-out user before incrementing lastfail. If a user become locked due to too many failed logins and then were unlocked by an administrator, the account would not lock again. This was caused by two things: - We were incrementing the fail counter before checking to see if the account was already locked out. - The current fail count wasn't taken into consideration when deciding if the account is locked. The sequence was this: 1. Unlocked account, set failcount to 0 2. Failed login, increment failcount 3. Within lastfailed + lockout_duration, still locked. This skips update the last_failed date. So I reversed 2 and 3 and check to see if the fail count exceeds policy. https://fedorahosted.org/freeipa/ticket/2765 --- daemons/ipa-kdb/ipa_kdb_audit_as.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c index c71568c3..64af8b2f 100644 --- a/daemons/ipa-kdb/ipa_kdb_audit_as.c +++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c @@ -93,16 +93,18 @@ void ipadb_audit_as_req(krb5_context kcontext, client->mask |= KMASK_FAIL_AUTH_COUNT; } + if (client->last_failed + ied->pol->lockout_duration > authtime && + (client->fail_auth_count >= ied->pol->max_fail && + ied->pol->max_fail != 0)) { + /* client already locked, nothing more to do */ + break; + } if (ied->pol->max_fail == 0 || client->fail_auth_count < ied->pol->max_fail) { /* let's increase the fail counter */ client->fail_auth_count++; client->mask |= KMASK_FAIL_AUTH_COUNT; } - if (client->last_failed + ied->pol->lockout_duration > authtime) { - /* client already locked, nothing more to do */ - break; - } client->last_failed = authtime; client->mask |= KMASK_LAST_FAILED; break; -- cgit