freeipa

Clone
Source Code
GIT

608d297 Check for locked-out user before incrementing lastfail.

1 file Authored by rcritten 11 years ago, Committed by mkosek 11 years ago,
raw patch tree parent
1 file changed. 6 lines added. 4 lines removed.
daemons/ipa-kdb/ipa_kdb_audit_as.c
file modified
+6 -4 
    Check for locked-out user before incrementing lastfail.
    
    If a user become locked due to too many failed logins and then were
    unlocked by an administrator, the account would not lock again. This
    was caused by two things:
    
     - We were incrementing the fail counter before checking to see if the
       account was already locked out.
     - The current fail count wasn't taken into consideration when
       deciding if the account is locked.
    
    The sequence was this:
    
    1. Unlocked account, set failcount to 0
    2. Failed login, increment failcount
    3. Within lastfailed + lockout_duration, still locked. This skips
       update the last_failed date.
    
    So I reversed 2 and 3 and check to see if the fail count exceeds policy.
    
    https://fedorahosted.org/freeipa/ticket/2765
file modified
+6 -4
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.