There was a problem in admin-unlocked accounts in that while still in the lock duration they would never be re-locked. More info in the patch.

rob
>From d649a17bc0b9b339c91ba1df328c31af9808ea93 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 17 May 2012 13:17:21 -0400
Subject: [PATCH] Check for locked-out user before incrementing lastfail.

If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:

 - We were incrementing the fail counter before checking to see if the
   account was already locked out.
 - The current fail count wasn't taken into consideration when
   deciding if the account is locked.

The sequence was this:

1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
   update the last_failed date.

So I reversed 2 and 3 and check to see if the fail count exceeds policy.

https://fedorahosted.org/freeipa/ticket/2765
---
 daemons/ipa-kdb/ipa_kdb_audit_as.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
index c71568c385595b3f6b9b595f4807ece8356349e0..64af8b2f9e8d8ab9d2828014b5ce214704ab3e46 100644
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
@@ -93,16 +93,18 @@ void ipadb_audit_as_req(krb5_context kcontext,
             client->mask |= KMASK_FAIL_AUTH_COUNT;
         }
 
+        if (client->last_failed + ied->pol->lockout_duration > authtime &&
+            (client->fail_auth_count >= ied->pol->max_fail && 
+             ied->pol->max_fail != 0)) {
+            /* client already locked, nothing more to do */
+            break;
+        }
         if (ied->pol->max_fail == 0 ||
             client->fail_auth_count < ied->pol->max_fail) {
             /* let's increase the fail counter */
             client->fail_auth_count++;
             client->mask |= KMASK_FAIL_AUTH_COUNT;
         }
-        if (client->last_failed + ied->pol->lockout_duration > authtime) {
-            /* client already locked, nothing more to do */
-            break;
-        }
         client->last_failed = authtime;
         client->mask |= KMASK_LAST_FAILED;
         break;
-- 
1.7.10.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to