This ticket is about enforcement of password lockout policy. I am using Centos 7.5
Suppose an account had passed the max login failure attempt. The account should be locked out. But I found there are still possible ways to login.
Suppose an account had password policy of max 1 login failure
Attempt to login account but provide wrong password
Account should be locked
First occasion to login: On system with IPA, login as root, run 'su - accountname' to login that locked out account.
Second occasion to login: On host1/hosts2, the user had already login the locked out account. But the account is 'locked' in other hosts. That user can still ssh to other IPA integrated system (host2 tested), probably because authenticated via kerberos.
Extracted from ssh -v debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Authentication succeeded (gssapi-with-mic). Authenticated to host2 (via proxy).
If an account is locked, it maybe able to login other IPA integrated system via ssh (via Kerberos authentication).
If an account is locked, it is not expected to able to login via ssh (via Kerberos authentication). Using root to su to a locked account is debatable, because root can su to a locked local account (non-IPA).
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.5.4-10.el7.centos.1.x86_64 ipa-client-4.5.4-10.el7.centos.1.x86_64 389-ds-base-1.3.7.5-21.el7_5.x86_64 pki-ca-10.5.1-9.el7.noarch krb5-server-1.15.1-19.el7.x86_64
There is a misunderstanding what locked means. Password lockout just means that a new TGT cannot be obtained and LDAP authentication will not succeed (therefore login will not be successful if a password is required).
If there is an existing TGT is may continue to be used.
The account is not disabled during the lockout period.
Metadata Update from @rcritten: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Just having a quick check on the web. Looks like Microsoft had an option to preformed extra Kerberos ticket validation (outside the Kerberos V5 specification) with POLICY_KERBEROS_VALIDATE_CLIENT
https://msdn.microsoft.com/en-us/library/cc233947.aspx?f=255&MSPPError=-2147217396
Login to comment on this ticket.