diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-11-20 05:19:45 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-11-20 05:19:45 +0000 |
| commit | 4a84d4137426d0951d5565adef30efebab719d23 (patch) | |
| tree | 7766a40972a4320d3c3408e3d65f2eed9ab237cb /src/kadmin/cli | |
| parent | 3820268fb7e226be78218b9853723f8d4c9c924a (diff) | |
| download | krb5-4a84d4137426d0951d5565adef30efebab719d23.tar.gz krb5-4a84d4137426d0951d5565adef30efebab719d23.tar.xz krb5-4a84d4137426d0951d5565adef30efebab719d23.zip | |
Fix failure interval of 0 in LDAP lockout code
A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
pass the lockout check (but didn't cause a reset of the failure count
in krb5_ldap_lockout_audit). It should be treated as forever, as in
the DB2 back end.
This bug is the previously unknown cause of the assertion failure
fixed in CVE-2011-1528.
ticket: 7021
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25480 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kadmin/cli')
| -rw-r--r-- | src/kadmin/cli/kadmin.M | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M index 9599bbf89..b05007a53 100644 --- a/src/kadmin/cli/kadmin.M +++ b/src/kadmin/cli/kadmin.M @@ -726,12 +726,13 @@ principals which require preauthentication. sets the allowable time between authentication failures. If an authentication failure happens after \fIfailuretime\fP has elapsed since the previous failure, the number of authentication failures is -reset to 1. +reset to 1. A failure count interval of 0 means forever. .TP \fB\-lockoutduration\fP \fIlockouttime\fP sets the duration for which the principal is locked from authenticating if too many authentication failures occur without the -specified failure count interval elapsing. +specified failure count interval elapsing. A duration of 0 means +forever. .sp .nf .TP |