Cool Solution - Account lockout

From Univention Wiki

Revision as of 10:14, 14 March 2018 by Arequate (talk | contribs)
Jump to: navigation, search
Produktlogo UCS Version 4.2

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

UCS unifies different methods to authenticate and authorize users. Depending on the installed software components, there can be different mechanisms which count failed login attempts.

Password Reset

No matter how the account has been locked, you can reset it from the Univention Management Console by entering a new password for the user.

Failed Login Counters

UCS without Samba Active Directory

When using UCS without Samba AD, the complete password settings are found in the Univention Configuration Registry. The following variables define the password settings:

Variable Effect
auth/faillog This Variable controls whether the login limits apply. Set it to "yes" to activate the failed login counter
auth/faillog/limit Enter an integer to limit the number of failed logins
auth/faillog/root By default root is not limited in the number of passwords one can try. Set this variable to "yes" to subject root to the same checks.
auth/faillog/lock_global By default, each system counts on its own, whether an account is locked. Set this variable to yes to ensure, that the state is saved in the LDAP and the lock is transferred over to all systems
auth/faillog/unlock_time By default, the account is active until an administrator resets the password or disables the lock. You can set a time in seconds here if you would like the account to unlock automatically.

UCS with Samba Active Directory

UCS with Samba AD handles logins on clients differently than logins on servers. The above still applies to any authentication requests against the standard PAM stacks of UCS (such as logins to a UCS server and UCC clients). However, login attempts using Kerberos are handled by Samba AD. To limit those login attempts (e.g. Windows Clients or Ubuntu clients), you need to set a limit in Samba AD itself. To do this, log into the console of your server as root. Once you are logged in, you can use the Samba tools to see and set the applicable password policy. The commands are:

Command Effect
samba-tool domain passwordsettings show Shows the currently set password settings
samba-tool domain passwordsettings set --account-lockout-duration="Time an account is logged out" Sets the number of minutes an account is locked after too many wrong passwords were entered
samba-tool domain passwordsettings set --account-lockout-threshold="Number of failed logins before an account is logged" Sets the number of times a user can try to enter a password
samba-tool domain passwordsettings set --reset-account-lockout-after="Time before the counter is reset" Sets the time after which the counter is reset. If an account is automatically unlocked, but the counter is not reset, then a single wrong password will lock the account again.

Synchronization between the two

As of UCS 4.2 the two counters are not synchronized. This means, that a user, can in theory try to login first on a Windows Client and then on UCS. However, once one of the counters is hit, the lockout state of the account will be synchronized and the login will not be possible at any of the two (if auth/faillog/lock_global has been enabled).

In UCS 4.3 the Samba/AD lockout state is also shown in UMC and an account lockout can be reset via UMC too. If auth/faillog/lock_global has been activated on a server, then an excess of PAM login failures to that server triggers not only lockout but deactivates the account. This account state is also shown and manageable in the UMC.

Ubuntu client integration

The Ubuntu integration makes heavy use of sssd to cache credentials. To lock the client even if it cannot reach the server, set the following entries in the PAM configuration:

Entry Effect
offline_failed_login_attempts How many failed logins are allowed, while the server cannot be reached
offline_failed_login_delay How long, before the sure can try again to log in after the threshold has been reached

Please note, that these settings only apply while the client cannot reach any UCS Server. Once a Server becomes available, the client will report any failed logins and apply the server settings to these failed logins.

Personal tools