freeipa

Clone
Source Code
GIT

#7607 After an account is locked by password policy, the account is still possible to login by various method
Closed: invalid 5 years ago Opened 5 years ago by dkt.

Closed: invalid
Reopen Issue

This ticket is about enforcement of password lockout policy.
I am using Centos 7.5

Issue

Suppose an account had passed the max login failure attempt. The account should be locked out. But I found there are still possible ways to login.

Steps to Reproduce

  1. Suppose an account had password policy of max 1 login failure

  2. Attempt to login account but provide wrong password

  3. Account should be locked

  4. First occasion to login: On system with IPA, login as root, run 'su - accountname' to login that locked out account.

  5. Second occasion to login: On host1/hosts2, the user had already login the locked out account. But the account is 'locked' in other hosts. That user can still ssh to other IPA integrated system (host2 tested), probably because authenticated via kerberos.

Extracted from ssh -v
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to host2 (via proxy).

  1. Continue with the above point: Suppose on host1, root 'su' to that locked account, then the locked account can ssh to other hosts via Kerberos (host2 tested)

Actual behavior

If an account is locked, it maybe able to login other IPA integrated system via ssh (via Kerberos authentication).

Expected behavior

If an account is locked, it is not expected to able to login via ssh (via Kerberos authentication).
Using root to su to a locked account is debatable, because root can su to a locked local account (non-IPA).

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.5.4-10.el7.centos.1.x86_64
ipa-client-4.5.4-10.el7.centos.1.x86_64
389-ds-base-1.3.7.5-21.el7_5.x86_64
pki-ca-10.5.1-9.el7.noarch
krb5-server-1.15.1-19.el7.x86_64

There is a misunderstanding what locked means. Password lockout just means that a new TGT cannot be obtained and LDAP authentication will not succeed (therefore login will not be successful if a password is required).

If there is an existing TGT is may continue to be used.

The account is not disabled during the lockout period.

Metadata Update from @rcritten:
- Issue close_status updated to: invalid
- Issue status updated to: Closed (was: Open)
5 years ago

Just having a quick check on the web. Looks like Microsoft had an option to preformed extra Kerberos ticket validation (outside the Kerberos V5 specification) with POLICY_KERBEROS_VALIDATE_CLIENT

https://msdn.microsoft.com/en-us/library/cc233947.aspx?f=255&MSPPError=-2147217396

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.