[Freeipa-users] pam_tally for FreeIPA?
Simo Sorce
ssorce at redhat.com
Fri Jun 5 15:36:27 UTC 2009
On Fri, 2009-06-05 at 16:01 +0100, David Robinson wrote:
> Hi all,
>
> Is there a pam_tally sort of equivalent for FreeIPA? I'd like to be
> able to centralize the lockout (ie pam_tally) policy, eg. after X
> failed login attempts lock the account, optionally automatically
> unlock after X mins. Locking an account would lock it for the entire
> realm instead of the local system.
>
> One of the criteria (8.5.13 and 8.5.14) for the payment card
> industry's data security standards is that an account be locked after
> 6 incorrect login attempts. I couldn't see anything that addresses the
> criteria on the requirements doc for FreeIPA v2, and I couldn't find
> the feature in v1. Is this something that is being considered, or is
> pam_tally the way to go?
We can;t use a client side mechanism to perform lock, or a single
machine could be abuse to lock all accounts without even trying a single
password change.
We have facilities to set the nsAccountLock flag to block accounts.
At the moment our KDC does not enforce automatic locking unfortunately
(the KDC fully respects the nsAccountLock flag when set, it just does
not set it automatically), but there is code to do that, so we should be
able to enable it at some point.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list