[Freeipa-devel] global account lockout

Rob Crittenden rcritten at redhat.com
Mon Apr 7 15:26:26 UTC 2014


Ludwig Krispenz wrote:
> Hi,
>
> please review the following feature design. It introduces a global
> account lockout, while trying to keep the replication traffic minimal.
> In my opinion for a real global account lockout the basic lockout
> attributes have to be replicated otherwise the benefit is minimal: an
> attacker could perform (maxFailedcount -1) login attempts on every
> server before the global lockout is set. But the design page describes
> how it could be done if it should be implemented - maybe the side effect
> that accounts could the be unlocked on any replica has its own benefit.
>
> http://www.freeipa.org/page/V4/Replicated_lockout

One weakness with this is there is still a window for extra password 
attempts if one is clever, (m * (f-1))+1 to be exact, where m is the 
number of masters and f is the # of allowed failed logins.

rob




More information about the Freeipa-devel mailing list