Document the lockout-related options in kadmin (modprinc -unlock and

addpol/modpol -maxfailure, -failurecountinterval, and
-lockoutduration), in the man page and in admin.texinfo.  Based on
text submitted by shawn.emery@oracle.com.

ticket: 6910

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24932 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 42 insertions, 0 deletions

diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index 427f64eca..2dcbb7280 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -2434,6 +2434,11 @@ of the principal.  The quotes are necessary if there are multiple
 enctype-salttype pairs.  This will not function against kadmin daemons
 earlier than krb5-1.2.  See @ref{Supported Encryption Types} and
 @ref{Salts} for available types.
+
+@item -unlock
+Unlocks a locked principal (one which has received too many failed
+authentication attempts without enough time between them according to
+its password policy) so that it can successfully authenticate.
 @end table
 
 If you want to just use the default values, all you need to do is:
@@ -2778,6 +2783,22 @@ Requires at least @i{number} of character classes in a password.
 
 @item -history @i{number}
 Sets the number of past keys kept for a principal to @i{number}. This option is not supported for LDAP database.
+
+@item -maxfailure @i{maxnumber}
+Sets the maximum number of authentication failures before the principal
+is locked.  Authentication failures are only tracked for principals
+which require preauthentication.
+
+@item -failurecountinterval @i{failuretime}
+Sets the allowable time between authentication failures.  If an
+authentication failure happens after @i{failuretime} has elapsed since
+the previous failure, the number of authentication failures is reset to
+1.
+
+@item -lockoutduration @i{lockouttime}
+Sets the duration for which the principal is locked from authenticating
+if too many authentication failures occur without the specified failure
+count interval elapsing.
 @end table 
 @c **** An example here would be nice.  ****
 
diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M
index 7e6db2c61..f847c8235 100644
--- a/src/kadmin/cli/kadmin.M
+++ b/src/kadmin/cli/kadmin.M
@@ -526,6 +526,11 @@ Associates a Kerberos principal with a LDAP object. This option is honored only
 if the Kerberos principal is not already associated with a LDAP object. 
 .RE
 .TP
+.B \-unlock
+Unlocks a locked principal (one which has received too many failed
+authentication attempts without enough time between them according to
+its password policy) so that it can successfully authenticate.
+.TP
 ERRORS:
 KADM5_AUTH_MODIFY (requires "modify" privilege)
 KADM5_UNK_PRINC (principal does not exist)
@@ -689,6 +694,22 @@ sets the minimum number of character classes allowed in a password
 .TP
 \fB\-history\fP \fInumber\fP
 sets the number of past keys kept for a principal. This option is not supported for LDAP database
+.TP
+\fB\-maxfailure\fP \fImaxnumber\fP
+sets the maximum number of authentication failures before the
+principal is locked.  Authentication failures are only tracked for
+principals which require preauthentication.
+.TP
+\fB\-failurecountinterval\fP \fIfailuretime\fP
+sets the allowable time between authentication failures.  If an
+authentication failure happens after \fIfailuretime\fP has elapsed
+since the previous failure, the number of authentication failures is
+reset to 1.
+.TP
+\fB\-lockoutduration\fP \fIlockouttime\fP
+sets the duration for which the principal is locked from
+authenticating if too many authentication failures occur without the
+specified failure count interval elapsing.
 .sp
 .nf
 .TP