Account lockout

Merge Luke's users/lhoward/lockout2 branch to trunk.  Implements
account lockout policies for preauth-using principals using existing
principal metadata fields and new policy fields.  The kadmin API
version is bumped from 2 to 3 to compatibly extend the policy_ent_rec
structure.

ticket: 6577

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23038 dc483132-0cff-0310-8789-dd5450dbe970

3 files changed, 4 insertions, 54 deletions

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 304b76b4d..737def8d2 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -106,7 +106,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     krb5_keyblock server_keyblock, client_keyblock;
     krb5_keyblock *mkey_ptr;
     krb5_enctype useenctype;
-    krb5_boolean update_client = 0;
     krb5_data e_data;
     register int i;
     krb5_timestamp until, rtime;
@@ -392,21 +391,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
 	    if (errcode == KRB5KDC_ERR_PREAUTH_FAILED)
 		get_preauth_hint_list(request, &client, &server, &e_data);
 	    
-	    if (kdc_modifies_kdb) {
-		/*
-		 * Note: this doesn't work if you're using slave servers!!!
-		 * It also causes the database to be modified (and thus
-		 * need to be locked) frequently.
-		 */
-		if (client.fail_auth_count < KRB5_MAX_FAIL_COUNT) {
-		    client.fail_auth_count = client.fail_auth_count + 1;
-		    if (client.fail_auth_count == KRB5_MAX_FAIL_COUNT) {
-			client.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
-		    }
-		}
-		client.last_failed = kdc_time;
-	    }
-	    update_client = 1;
 	    status = "PREAUTH_FAILED";
 	    if (vague_errors)
 		errcode = KRB5KRB_ERR_GENERIC;
@@ -620,15 +604,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length);
     free(reply.enc_part.ciphertext.data);
 
-    if (kdc_modifies_kdb) {
-	/*
-	 * If we get this far, we successfully did the AS_REQ.
-	 */
-	client.last_success = kdc_time;
-	client.fail_auth_count = 0;
-    }
-    update_client = 1;
-
     log_as_req(from, request, &reply, &client, cname, &server, sname,
 	       authtime, 0, 0, 0);
     did_log = 1;
@@ -648,8 +623,8 @@ egress:
 	emsg = krb5_get_error_message(kdc_context, errcode);
 
     if (status) {
-	log_as_req(from, request, &reply, &client, cname, &server, sname, 0,
-		   status, errcode, emsg);
+	log_as_req(from, request, &reply, &client, cname, &server, sname,
+		   authtime, status, errcode, emsg);
 	did_log = 1;
     }
     if (errcode) {
@@ -681,25 +656,8 @@ egress:
 	    free(cname);
     if (sname != NULL)
 	    free(sname);
-    if (c_nprincs) {
-	if (kdc_modifies_kdb) {
-	    if (update_client) {
-		krb5_error_code errcode2;
-
-		krb5_db_put_principal(kdc_context, &client, &c_nprincs);
-		/*
-		 * ptooey.  We want krb5_db_sync() or something like that.
-		 */
-		errcode2 = krb5_db_fini(kdc_context);
-		if (errcode2 == 0)
-		    errcode2 = krb5_db_open(kdc_context, db_args,
-					    KRB5_KDB_OPEN_RW|KRB5_KDB_SRV_TYPE_KDC);
-		/* Reset master key */
-		krb5_db_set_mkey(kdc_context, &kdc_active_realm->realm_mkey);
-	    }
-	}
+    if (c_nprincs)
 	krb5_db_free_principal(kdc_context, &client, c_nprincs);
-    }
     if (s_nprincs)
 	krb5_db_free_principal(kdc_context, &server, s_nprincs);
     if (session_key.contents != NULL)
diff --git a/src/kdc/extern.c b/src/kdc/extern.c
index 3427bcfff..7ebc7bb3a 100644
--- a/src/kdc/extern.c
+++ b/src/kdc/extern.c
@@ -38,11 +38,6 @@ krb5_data empty_string = {0, 0, ""};
 krb5_timestamp kdc_infinity = KRB5_INT32_MAX; /* XXX */
 krb5_rcache	kdc_rcache = (krb5_rcache) NULL;
 krb5_keyblock	psr_key;
-#ifdef KRBCONF_KDC_MODIFIES_KDB
-const int	kdc_modifies_kdb = 1;
-#else
-const int	kdc_modifies_kdb = 0;
-#endif
 krb5_int32	max_dgram_reply_size = MAX_DGRAM_SIZE;
 
 volatile int signal_requests_exit = 0;	/* gets set when signal hits */
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 83c7de61e..9ce3f4894 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -381,10 +381,7 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname,
     }
 
     /* first open the database  before doing anything */
-    if (kdc_modifies_kdb)
-	kdb_open_flags = KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_KDC;
-    else
-	kdb_open_flags = KRB5_KDB_OPEN_RO | KRB5_KDB_SRV_TYPE_KDC;
+    kdb_open_flags = KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_KDC;
     if ((kret = krb5_db_open(rdp->realm_context, db_args, kdb_open_flags))) {
 	kdc_err(rdp->realm_context, kret,
 		"while initializing database for realm %s", realm);