diff options
| author | Greg Hudson <ghudson@mit.edu> | 2009-10-25 16:55:12 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2009-10-25 16:55:12 +0000 |
| commit | 8d31a9d396f5bea88def4db395ad12dca2ac2e9f (patch) | |
| tree | 244f8f5b525432a2a2a280403f38d7b2fbdc0dfd /src/kadmin/cli | |
| parent | b82e46df9b6cbf663512985a99c6d79f2b0cb796 (diff) | |
| download | krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.tar.gz krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.tar.xz krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.zip | |
Account lockout
Merge Luke's users/lhoward/lockout2 branch to trunk. Implements
account lockout policies for preauth-using principals using existing
principal metadata fields and new policy fields. The kadmin API
version is bumped from 2 to 3 to compatibly extend the policy_ent_rec
structure.
ticket: 6577
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23038 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kadmin/cli')
| -rw-r--r-- | src/kadmin/cli/kadmin.c | 55 |
1 files changed, 48 insertions, 7 deletions
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index ad9f6bc9b..51746def4 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -486,7 +486,7 @@ kadmin_startup(int argc, char *argv[]) princstr); retval = kadm5_init_with_creds(context, princstr, cc, svcname, ¶ms, KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, db_args, &handle); + KADM5_API_VERSION_3, db_args, &handle); } else if (use_keytab) { if (keytab_name) printf("Authenticating as principal %s with keytab %s.\n", @@ -496,13 +496,13 @@ kadmin_startup(int argc, char *argv[]) princstr); retval = kadm5_init_with_skey(context, princstr, keytab_name, svcname, ¶ms, KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, db_args, &handle); + KADM5_API_VERSION_3, db_args, &handle); } else { printf("Authenticating as principal %s with password.\n", princstr); retval = kadm5_init_with_password(context, princstr, password, svcname, ¶ms, KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, db_args, + KADM5_API_VERSION_3, db_args, &handle); } if (retval) { @@ -970,6 +970,11 @@ kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc, } } #endif /* APPLE_PKINIT */ + if (strlen(argv[i]) == 7 && !strcmp("-unlock", argv[i])) { + oprinc->fail_auth_count = 0; + *mask |= KADM5_FAIL_AUTH_COUNT; + continue; + } if (!strcmp("-e", argv[i])) { if (++i > argc - 2) return -1; @@ -1047,7 +1052,7 @@ kadmin_modprinc_usage() { fprintf(stderr, "usage: modify_principal [options] principal\n"); fprintf(stderr, "\toptions are:\n"); - fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n\t\t[-maxrenewlife maxrenewlife] [{+|-}attribute]\n"); + fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n\t\t[-maxrenewlife maxrenewlife] [-unlock] [{+|-}attribute]\n"); fprintf(stderr, "\tattributes are:\n"); fprintf(stderr, "%s%s%s", "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", @@ -1496,6 +1501,33 @@ kadmin_parse_policy_args(int argc, char *argv[], kadm5_policy_ent_t policy, *mask |= KADM5_PW_HISTORY_NUM; continue; } + } else if (strlen(argv[i]) == 11 && + !strcmp(argv[i], "-maxfailure")) { + if (++i > argc - 2) + return -1; + else { + policy->pw_max_fail = atoi(argv[i]); + *mask |= KADM5_PW_MAX_FAILURE; + continue; + } + } else if (strlen(argv[i]) == 21 && + !strcmp(argv[i], "-failurecountinterval")) { + if (++i > argc - 2) + return -1; + else { + policy->pw_failcnt_interval = atoi(argv[i]); + *mask |= KADM5_PW_FAILURE_COUNT_INTERVAL; + continue; + } + } else if (strlen(argv[i]) == 16 && + !strcmp(argv[i], "-lockoutduration")) { + if (++i > argc - 2) + return -1; + else { + policy->pw_lockout_duration = atoi(argv[i]); + *mask |= KADM5_PW_LOCKOUT_DURATION; + continue; + } } else return -1; } @@ -1511,7 +1543,8 @@ kadmin_addmodpol_usage(char *func) { fprintf(stderr, "usage; %s [options] policy\n", func); fprintf(stderr, "\toptions are:\n"); - fprintf(stderr, "\t\t[-maxlife time] [-minlife time] [-minlength length]\n\t\t[-minclasses number] [-history number]\n"); + fprintf(stderr, "\t\t[-maxlife time] [-minlife time] [-minlength length]\n\t\t[-minclasses number] [-history number]\n\t\t[-maxfailure number] [-failurecountinterval time]\n"); + fprintf(stderr, "\t\t[-lockoutduration time]\n"); } void @@ -1607,11 +1640,19 @@ kadmin_getpol(int argc, char *argv[]) policy.pw_min_classes); printf("Number of old keys kept: %ld\n", policy.pw_history_num); printf("Reference count: %ld\n", policy.policy_refcnt); + printf("Maximum password failures before lockout: %ld\n", + policy.pw_max_fail); + printf("Password failure count reset interval: %ld\n", + (long)policy.pw_failcnt_interval); + printf("Password lockout duration: %ld\n", + (long)policy.pw_lockout_duration); } else { - printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\n", + printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\n", policy.policy, policy.pw_max_life, policy.pw_min_life, policy.pw_min_length, policy.pw_min_classes, - policy.pw_history_num, policy.policy_refcnt); + policy.pw_history_num, policy.policy_refcnt, + policy.pw_max_fail, (long)policy.pw_failcnt_interval, + (long)policy.pw_lockout_duration); } kadm5_free_policy_ent(handle, &policy); } |