|
|
|---|
| 852 |
<section id="users:faillog"> |
852 |
<section id="users:faillog"> |
| 853 |
<title>Automatic lockout of users after failed login attempts</title> |
853 |
<title>Automatic lockout of users after failed login attempts</title> |
| 854 |
<para> |
854 |
<para> |
| 855 |
As standard, a user can enter her password incorrectly any number of times. To |
855 |
By default, a user can enter her password incorrectly any number of times. To |
| 856 |
hinder brute force attacks on passwords, an automatic lockout for user accounts |
856 |
hinder brute force attacks on passwords, an automatic lockout for user accounts |
| 857 |
can be activated after a configured number of failed log-in attempts. |
857 |
can be activated after a configured number of failed log-in attempts. |
| 858 |
</para> |
858 |
</para> |
|
|
|---|
| 868 |
<title>Samba Active Directory Service</title> |
868 |
<title>Samba Active Directory Service</title> |
| 869 |
<para> |
869 |
<para> |
| 870 |
In Samba Active Directory environments, various services are provided by Samba, such as Kerberos. |
870 |
In Samba Active Directory environments, various services are provided by Samba, such as Kerberos. |
| 871 |
To lock users after failed logins, the tool <command>samba-tool</command> can be used. |
871 |
To lockout users after too many failed log-in attempts, the tool <command>samba-tool</command> can be used. |
| 872 |
</para> |
872 |
</para> |
| 873 |
<para> |
873 |
<para> |
| 874 |
<itemizedlist> |
874 |
<itemizedlist> |
|
|
|---|
| 880 |
</listitem> |
880 |
</listitem> |
| 881 |
<listitem> |
881 |
<listitem> |
| 882 |
<simpara> |
882 |
<simpara> |
| 883 |
<command>samba-tool domain passwordsettings set --account-lockout-duration=3</command> |
883 |
<command>samba-tool domain passwordsettings set --account-lockout-threshold=5</command> |
| 884 |
specifies the number of minutes an account will be locked after too many incorrect passwords |
884 |
specifies how often a user can attempt to log in with an incorrect password before the account |
| 885 |
have been entered. |
885 |
is locked. |
| 886 |
</simpara> |
886 |
</simpara> |
| 887 |
</listitem> |
887 |
</listitem> |
| 888 |
<listitem> |
888 |
<listitem> |
| 889 |
<simpara> |
889 |
<simpara> |
| 890 |
<command>samba-tool domain passwordsettings set --account-lockout-threshold=5</command> |
890 |
<command>samba-tool domain passwordsettings set --account-lockout-duration=3</command> |
| 891 |
specifies how often a user can attempt to log in with an incorrect password before the account |
891 |
specifies the number of minutes an account will be locked after too many incorrect passwords |
| 892 |
is locked. |
892 |
have been entered. |
| 893 |
</simpara> |
893 |
</simpara> |
| 894 |
</listitem> |
894 |
</listitem> |
| 895 |
<listitem> |
895 |
<listitem> |
| 896 |
<simpara> |
896 |
<simpara> |
| 897 |
<command>samba-tool domain passwordsettings set --reset-account-lockout-after=5</command> |
897 |
<command>samba-tool domain passwordsettings set --reset-account-lockout-after=5</command> |
| 898 |
defines the number of minutes after which the counter is reset. If an account is automatically |
898 |
defines the number of minutes after which the counter is reset. If an account gets automatically |
| 899 |
unlocked, the counter is not reset, the account will be locked again with a single incorrect |
899 |
unlocked after the lockout duration, the counter is not reset immediately, to keep the account |
| 900 |
password. |
900 |
under strict monitoring for some time. During the time window between the end of the lockout |
|
|
901 |
duration and the point when the the counter gets reset, a single attempt to log in with an |
| 902 |
incorrect password will lock the account immediately again. |
| 901 |
</simpara> |
903 |
</simpara> |
| 902 |
</listitem> |
904 |
</listitem> |
| 903 |
</itemizedlist> |
905 |
</itemizedlist> |
|
|
|---|
| 916 |
The counter is reset each time the password is entered correctly. |
918 |
The counter is reset each time the password is entered correctly. |
| 917 |
</para> |
919 |
</para> |
| 918 |
<para> |
920 |
<para> |
| 919 |
The lockout is activated locally per system as standard. In other words, if a |
921 |
The lockout is activated locally per system by default. In other words, if a |
| 920 |
user enters her password incorrectly too many times on one system, she can |
922 |
user enters her password incorrectly too many times on one system, she can |
| 921 |
still login on another system. Setting the &ucsUCRV; <envar>auth/faillog/lock_global</envar> |
923 |
still login on another system. Setting the &ucsUCRV; <envar>auth/faillog/lock_global</envar> |
| 922 |
will make the lock effective globally and register it in the LDAP. The global |
924 |
will make the lock effective globally and register it in the LDAP directory. The global |
| 923 |
lock can only be set on &ucsMaster;/Backup systems as other |
925 |
lock can only be set on &ucsMaster;/Backup systems as other |
| 924 |
system roles do not have the necessary permissions in the LDAP |
926 |
system roles do not have the necessary permissions in the LDAP |
| 925 |
directory. On these system roles, the user is, however, locally locked or |
927 |
directory. On all systems with any of these system roles, the lockout gets automatically activated locally or |
| 926 |
unlocked again via the listener module. |
928 |
deactivated again via the listener module, depending on the current lock state in the LDAP directory. |
| 927 |
</para> |
929 |
</para> |
| 928 |
<para> |
930 |
<para> |
| 929 |
As standard, the lockout is not subject to time limitations and must be reset by |
931 |
As standard, the lockout is not subject to time limitations and must be reset by |
| 930 |
the administrator. However, it can also be reset automatically after a certain |
932 |
the administrator. However, it can also be reset automatically after a certain |
| 931 |
interval has elapsed. This is done by specifying a time period in seconds |
933 |
time interval has elapsed. This is done by specifying a time period in seconds |
| 932 |
in the &ucsUCRV; <envar>auth/faillog/unlock_time</envar>. If the value is set to 0, the lock is |
934 |
in the &ucsUCRV; <envar>auth/faillog/unlock_time</envar>. If the value is set to 0, the lock is |
| 933 |
reset immediately. |
935 |
reset immediately. |
| 934 |
</para> |
936 |
</para> |
| 935 |
<para> |
937 |
<para> |
| 936 |
As standard, the <systemitem class="username">root</systemitem> user is excluded from the password lock, but can also be |
938 |
By default, the <systemitem class="username">root</systemitem> user is excluded from the password lock, but can also be |
| 937 |
subjected to it by setting the &ucsUCRV; <envar>auth/faillog/root</envar> to <literal>yes</literal>. |
939 |
subjected to it by setting the &ucsUCRV; <envar>auth/faillog/root</envar> to <literal>yes</literal>. |
| 938 |
</para> |
940 |
</para> |
| 939 |
<para> |
941 |
<para> |
| 940 |
If accounts are only locked locally, the administrator can unlock a user account by entering the command |
942 |
If accounts are only locked locally, the administrator can unlock a user account by entering the command |
| 941 |
<command>faillog -r -u USERNAME</command>. If the lock occurs globally in the LDAP, the user can be reset |
943 |
<command>faillog -r -u USERNAME</command>. If the lock occurs globally in the LDAP directory, the user can be reset |
| 942 |
in Univention Management Console on the tab <guimenu>Account</guimenu> in the user options |
944 |
in Univention Management Console on the tab <guimenu>Account</guimenu> in the user options |
| 943 |
<guimenu>Unlock account</guimenu>. |
945 |
<guimenu>Unlock account</guimenu>. |
| 944 |
</para> |
946 |
</para> |