Re: [Freeipa-devel] [PATCH] 680 ldap lockout
Simo Sorce wrote: On Wed, 19 Jan 2011 14:15:05 +0100 Jan Zelenýjzel...@redhat.com wrote: Rob Crittendenrcrit...@redhat.com wrote: Rob Crittenden wrote: Jan Zeleny wrote: Rob Crittendenrcrit...@redhat.com wrote: Update kerberos password policy values on LDAP binds. This is so locked-out accounts in kerberos don't try things using LDAP instead. On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343 Ack, good job Jan Simo and Nathan pointed out that the update model I'm using is vulnerable to multi-threaded attack and suggested that rather than using REPLACE I do a DELETE/ADD to be sure that I'm updating the counter appropriately. I've got the basics done, need to re-run through valgrind. Will submit another patch shortly. rob Updated patch attached. Be more careful when updating the failed count. rob The patch looks good and it works fine, if Simo doesn't have any more security comments: ACK. Patch looks good to me. I only wonder if it would make sense to try to cache the entry between the pre-op and the post-op, but given it is just fetched I guess DS caches it in memory anyways, so probably not a big deal in any case. Simo. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 680 ldap lockout
Rob Crittenden rcrit...@redhat.com wrote: Rob Crittenden wrote: Jan Zeleny wrote: Rob Crittendenrcrit...@redhat.com wrote: Update kerberos password policy values on LDAP binds. This is so locked-out accounts in kerberos don't try things using LDAP instead. On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343 Ack, good job Jan Simo and Nathan pointed out that the update model I'm using is vulnerable to multi-threaded attack and suggested that rather than using REPLACE I do a DELETE/ADD to be sure that I'm updating the counter appropriately. I've got the basics done, need to re-run through valgrind. Will submit another patch shortly. rob Updated patch attached. Be more careful when updating the failed count. rob The patch looks good and it works fine, if Simo doesn't have any more security comments: ACK. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 680 ldap lockout
On Wed, 19 Jan 2011 14:15:05 +0100 Jan Zelený jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Rob Crittenden wrote: Jan Zeleny wrote: Rob Crittendenrcrit...@redhat.com wrote: Update kerberos password policy values on LDAP binds. This is so locked-out accounts in kerberos don't try things using LDAP instead. On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343 Ack, good job Jan Simo and Nathan pointed out that the update model I'm using is vulnerable to multi-threaded attack and suggested that rather than using REPLACE I do a DELETE/ADD to be sure that I'm updating the counter appropriately. I've got the basics done, need to re-run through valgrind. Will submit another patch shortly. rob Updated patch attached. Be more careful when updating the failed count. rob The patch looks good and it works fine, if Simo doesn't have any more security comments: ACK. Patch looks good to me. I only wonder if it would make sense to try to cache the entry between the pre-op and the post-op, but given it is just fetched I guess DS caches it in memory anyways, so probably not a big deal in any case. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 680 ldap lockout
Jan Zeleny wrote: Rob Crittendenrcrit...@redhat.com wrote: Update kerberos password policy values on LDAP binds. This is so locked-out accounts in kerberos don't try things using LDAP instead. On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343 Ack, good job Jan Simo and Nathan pointed out that the update model I'm using is vulnerable to multi-threaded attack and suggested that rather than using REPLACE I do a DELETE/ADD to be sure that I'm updating the counter appropriately. I've got the basics done, need to re-run through valgrind. Will submit another patch shortly. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 680 ldap lockout
Rob Crittenden wrote: Jan Zeleny wrote: Rob Crittendenrcrit...@redhat.com wrote: Update kerberos password policy values on LDAP binds. This is so locked-out accounts in kerberos don't try things using LDAP instead. On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343 Ack, good job Jan Simo and Nathan pointed out that the update model I'm using is vulnerable to multi-threaded attack and suggested that rather than using REPLACE I do a DELETE/ADD to be sure that I'm updating the counter appropriately. I've got the basics done, need to re-run through valgrind. Will submit another patch shortly. rob Updated patch attached. Be more careful when updating the failed count. rob From a502007156e90e9fd9f2584b8b4ba2734e05710e Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 18 Jan 2011 14:58:58 -0500 Subject: [PATCH] Update kerberos password policy values on LDAP binds. On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343 --- daemons/configure.ac |1 + daemons/ipa-slapi-plugins/Makefile.am |1 + daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am | 46 ++ .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c| 643 .../ipa-lockout/lockout-conf.ldif | 15 + ipa.spec.in|2 + ipaserver/install/dsinstance.py|4 + 7 files changed, 712 insertions(+), 0 deletions(-) create mode 100644 daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c create mode 100644 daemons/ipa-slapi-plugins/ipa-lockout/lockout-conf.ldif diff --git a/daemons/configure.ac b/daemons/configure.ac index c024c12..d15a5c7 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -291,6 +291,7 @@ AC_CONFIG_FILES([ ipa-kpasswd/Makefile ipa-slapi-plugins/Makefile ipa-slapi-plugins/ipa-enrollment/Makefile +ipa-slapi-plugins/ipa-lockout/Makefile ipa-slapi-plugins/ipa-pwd-extop/Makefile ipa-slapi-plugins/ipa-winsync/Makefile ipa-slapi-plugins/ipa-version/Makefile diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 1ae2351..25f50d5 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ ipa-enrollment \ + ipa-lockout \ ipa-modrdn \ ipa-pwd-extop \ ipa-uuid \ diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am new file mode 100644 index 000..fea3fe6 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am @@ -0,0 +1,46 @@ +NULL = + +PLUGIN_COMMON_DIR=../common + +INCLUDES = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I/usr/include/dirsrv \ + -DPREFIX=\$(prefix)\ \ + -DBINDIR=\$(bindir)\\ + -DLIBDIR=\$(libdir)\ \ + -DLIBEXECDIR=\$(libexecdir)\ \ + -DDATADIR=\$(datadir)\\ + $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) + +plugindir = $(libdir)/dirsrv/plugins +plugin_LTLIBRARIES = \ + libipa_lockout.la \ + $(NULL) + +libipa_lockout_la_SOURCES = \ + ipa_lockout.c \ + $(NULL) + +libipa_lockout_la_LDFLAGS = -avoid-version + +libipa_lockout_la_LIBADD = \ + $(LDAP_LIBS) \ + $(NULL) + +appdir = $(IPA_DATA_DIR) +app_DATA = \ + lockout-conf.ldif \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c new file mode 100644 index 000..4d5d605 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c @@ -0,0 +1,643 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of
[Freeipa-devel] [PATCH] 680 ldap lockout
Update kerberos password policy values on LDAP binds. This is so locked-out accounts in kerberos don't try things using LDAP instead. On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343 From 7c9aabdf43715550fc39da508a2f6f9a327b15a6 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 17 Jan 2011 10:47:00 -0500 Subject: [PATCH] Update kerberos password policy values on LDAP binds. On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343 --- daemons/configure.ac |1 + daemons/ipa-slapi-plugins/Makefile.am |1 + daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am | 46 ++ .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c| 618 .../ipa-lockout/lockout-conf.ldif | 15 + ipa.spec.in|2 + ipaserver/install/dsinstance.py|4 + 7 files changed, 687 insertions(+), 0 deletions(-) create mode 100644 daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c create mode 100644 daemons/ipa-slapi-plugins/ipa-lockout/lockout-conf.ldif diff --git a/daemons/configure.ac b/daemons/configure.ac index 72ff750..ef6e97d 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -296,6 +296,7 @@ AC_CONFIG_FILES([ ipa-kpasswd/Makefile ipa-slapi-plugins/Makefile ipa-slapi-plugins/ipa-enrollment/Makefile +ipa-slapi-plugins/ipa-lockout/Makefile ipa-slapi-plugins/ipa-pwd-extop/Makefile ipa-slapi-plugins/ipa-winsync/Makefile ipa-slapi-plugins/ipa-version/Makefile diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 1ae2351..25f50d5 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ ipa-enrollment \ + ipa-lockout \ ipa-modrdn \ ipa-pwd-extop \ ipa-uuid \ diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am new file mode 100644 index 000..fea3fe6 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am @@ -0,0 +1,46 @@ +NULL = + +PLUGIN_COMMON_DIR=../common + +INCLUDES = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I/usr/include/dirsrv \ + -DPREFIX=\$(prefix)\ \ + -DBINDIR=\$(bindir)\\ + -DLIBDIR=\$(libdir)\ \ + -DLIBEXECDIR=\$(libexecdir)\ \ + -DDATADIR=\$(datadir)\\ + $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) + +plugindir = $(libdir)/dirsrv/plugins +plugin_LTLIBRARIES = \ + libipa_lockout.la \ + $(NULL) + +libipa_lockout_la_SOURCES = \ + ipa_lockout.c \ + $(NULL) + +libipa_lockout_la_LDFLAGS = -avoid-version + +libipa_lockout_la_LIBADD = \ + $(LDAP_LIBS) \ + $(NULL) + +appdir = $(IPA_DATA_DIR) +app_DATA = \ + lockout-conf.ldif \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c new file mode 100644 index 000..674099d --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c @@ -0,0 +1,618 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see http://www.gnu.org/licenses/. + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, GPL means the GNU General Public + * License, version 3 or any later version, and Non-GPL Code means + * code that is governed neither by the the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the