Difference between revisions of "Cool Solution - Account lockout"

From Univention Wiki

Jump to: navigation, search
m
(Replaced content with "This page has been moved to the UCS Documentation. [https://docs.software-univention.de/manual-4.4.html#users:faillog Automatic lockout of users after failed login attempts]")
Tag: Replaced
 
Line 1: Line 1:
{{Version|UCS=4.3}}
+
This page has been moved to the UCS Documentation.
{{Version|UCS=4.4}}
 
{{Cool Solutions Disclaimer|Repository=no}}
 
{{#seo:
 
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}}
 
<!--|description=-->
 
}}
 
  
UCS unifies different methods to authenticate and authorize users. Depending on the installed software components, there can be different mechanisms which count failed login attempts.
+
[https://docs.software-univention.de/manual-4.4.html#users:faillog Automatic lockout of users after failed login attempts]
 
 
<h2>Password Reset</h2>
 
 
 
No matter how the account has been locked, you can reset it from the Univention Management Console by entering a new password for the user.
 
 
 
<h2>Failed Login Counters</h2>
 
 
 
<h3>UCS without Samba Active Directory</h3>
 
 
 
When using UCS '''without''' Samba AD, the complete password settings are found in the [https://docs.software-univention.de/manual-4.3.html#computers:Administration_of_local_system_configuration_with_Univention_Configuration_Registry Univention Configuration Registry]. The following variables define the password settings:
 
 
 
{| class="wikitable"
 
|-
 
! scope="col" | Variable
 
! scope="col" | Effect
 
|-
 
|<code>auth/faillog</code>
 
|This Variable controls whether the login limits apply. Set it to "yes" to activate the failed login counter
 
|-
 
|<code>auth/faillog/limit</code>
 
|Enter an integer to limit the number of failed logins
 
|-
 
|<code>auth/faillog/root</code>
 
|By default root is not limited in the number of passwords one can try. Set this variable to "yes" to subject root to the same checks.
 
|-
 
|<code>auth/faillog/lock_global</code>
 
|By default, each system counts on its own, whether an account is locked. Set this variable to yes to ensure, that the state is saved in the LDAP and the lock is transferred over to all systems
 
|-
 
|<code>auth/faillog/unlock_time</code>
 
|By default, the account is active until an administrator resets the password or disables the lock. You can set a time in seconds here if you would like the account to unlock automatically.
 
|}
 
 
 
<h3>UCS with Samba Active Directory</h3>
 
 
 
UCS '''with''' Samba AD handles logins on clients differently than logins on servers. The above still applies to any authentication requests against the standard PAM stacks of UCS (such as logins to a UCS server and UCC clients). However, login attempts using Kerberos are handled by Samba AD. To limit those login attempts (e.g. Windows Clients or Ubuntu clients), you need to set a limit in Samba AD itself.
 
To do this, log into the console of your server as root. Once you are logged in, you can use the Samba tools to see and set the applicable password policy. The commands are:
 
 
 
{| class="wikitable"
 
|-
 
! scope="col" | Command
 
! scope="col" | Effect
 
|-
 
|<code>samba-tool  domain passwordsettings show</code>
 
|Shows the currently set password settings
 
|-
 
|<code>samba-tool  domain passwordsettings set --account-lockout-duration="Time an account is logged out"</code>
 
|Sets the number of minutes an account is locked after too many wrong passwords were entered
 
|-
 
|<code>samba-tool  domain passwordsettings set --account-lockout-threshold="Number of failed logins before an account is logged"</code>
 
|Sets the number of times a user can try to enter a password
 
|-
 
|<code>samba-tool  domain passwordsettings set --reset-account-lockout-after="Time before the counter is reset"</code>
 
|Sets the time after which the counter is reset. If an account is automatically unlocked, but the counter is not reset, then a single wrong password will lock the account again.
 
|}
 
 
 
<h3>Synchronization between the two</h3>
 
 
 
As of '''UCS 4.2''' the two ''counters'' are not synchronized. This means, that a user, can in theory try to login first on a Windows Client and then on UCS. However, once one of the counters is hit, the lockout state of the account ''will'' be synchronized and the login will not be possible at any of the two (if auth/faillog/lock_global has been enabled).
 
 
 
Since '''UCS 4.3''' and newer, the Samba/AD lockout state is also shown in UMC and an account lockout can be reset via UMC too. If auth/faillog/lock_global has been activated on a server, then an excess of PAM login failures to that server triggers not only lockout but deactivates the account. This account state is also shown and manageable in the UMC.
 
 
 
<h2>Ubuntu client integration</h2>
 
The [http://docs.software-univention.de/domain-4.2.html#ext-dom-ubuntu Ubuntu integration] makes heavy use of <code>sssd</code> to cache credentials. To lock the client even if it cannot reach the server, set the following entries in the PAM configuration:
 
 
 
{| class="wikitable"
 
|-
 
! scope="col" | Entry
 
! scope="col" | Effect
 
|-
 
|<code>offline_failed_login_attempts</code>
 
|How many failed logins are allowed, while the server cannot be reached
 
|-
 
|<code>offline_failed_login_delay</code>
 
|How long, before the sure can try again to log in after the threshold has been reached
 
|}
 
 
 
Please note, that these settings only apply while the client cannot reach any UCS Server. Once a Server becomes available, the client will report any failed logins and apply the server settings to these failed logins.
 

Latest revision as of 14:06, 20 February 2020

This page has been moved to the UCS Documentation.

Automatic lockout of users after failed login attempts

Personal tools