Bug 1480131
| Summary: | krbLoginFailedCount doesn't get reset following subsequent failed logins via ssh after the "Failure reset interval" has elapsed | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ming Davies <minyu> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED WORKSFORME | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | abokovoy, gparente, pvoborni, rcritten, tscherf |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-29 12:13:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ming Davies
2017-08-10 09:21:58 UTC
Here are the version number: ipa-server-4.4.0-12.el7.x86_64 389-ds-base-libs-1.3.5.10-11.el7.x86_64 389-ds-base-1.3.5.10-11.el7.x86_64 A simple LDAP bind operation does not concern Kerberos principal, so there are no changes in Kerberos attributes. When one logs into SSH with a password, SSSD performs Kerberos authentication which failure is then reflected via krbLoginFailedCount. Please note that IPA does not provide a pure password policy. What is named 'password policy' is, in fact, a Kerberos password policy. As result, it only applies to Kerberos operations. And wrt the behavior - why it is not reset:
By quick look into code, it might be caused by "Lockout duration" not being set.
if (ied->pol->lockout_duration != 0 &&
ied->pol->failcnt_interval != 0 &&
client->last_failed + ied->pol->failcnt_interval < authtime) {
/* Reset fail_auth_count, the interval's expired already */
client->fail_auth_count = 0;
client->mask |= KMASK_FAIL_AUTH_COUNT;
}
From doc: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/pwd-policies-how.html#pwd-policies-global-group
"""
If multiple password policies are applicable to a user, the policy with the lowest priority value takes precedence. All rules defined in other policies are ignored.
The password policy with the lowest priority value applies to all password policy attributes, even the attributes that are not defined in the policy.
The global password policy does not have a priority value set. It serves as a fallback policy when no group policy is set for a user. The global policy can never take precedence over a group policy.
"""
I.e. the value won't be inherited from global policy.
Thanks for the update, Alexander. You and Petr are indeed right! Just did a quick test: [root@ipareplica ~]# ipa pwpolicy-show --user=ppolicy-user Group: ppolicy-group Max lifetime (days): 90 Max failures: 4 Failure reset interval: 300 Lockout duration: 60 From the IPA replica: [root@ipareplica ~]# date;ipa user-show --all ppolicy-user --raw |grep krbLoginFailedCount Mon 14 Aug 13:52:06 BST 2017 krbLoginFailedCount: 0 From the IPA client: $ date; ssh ppolicy-user@ipaclient Mon 14 Aug 13:52:19 BST 2017 Password: <WRONG PASSWORD> Password: <WRONG PASSWORD> From the IPA replica: [root@ipareplica ~]# date;ipa user-show --all ppolicy-user --raw |grep krbLoginFailedCount Mon 14 Aug 13:52:29 BST 2017 krbLoginFailedCount: 2 From the IPA replica: $ date; sleep 350 Mon 14 Aug 13:52:40 BST 2017 [ming@snowflake ~]$ date; ssh ppolicy-user@ipaclient Mon 14 Aug 14:15:00 BST 2017 Password: <WRONG PASSWORD> From the IPA replica: [root@ipareplica ~]# date;ipa user-show --all ppolicy-user --raw |grep krbLoginFailedCount Mon 14 Aug 14:15:09 BST 2017 krbLoginFailedCount: 1 <<<< It has indeed reset to 1. I will ask the customer to try and let you know it goes. Best regards, Ming |