In this second article in the series we turn our focus to the configuration and management of the user account lockout functionality.
As discussed in the previous article, OneFS 9.13 adds three new account lockout configuration settings for the file provider. The ‘lockout-threshold’ parameter defines the maximum number of failed authentication attempts allowed before an account is locked. The ‘lockout-window’ specifies the time period over which those failed attempts are counted; if the threshold is not reached within this window, the failure counter automatically resets. Lastly, ‘lockout-duration’ determines how long the account remains locked after the threshold has been exceeded.
In operation, when repeated incorrect password attempts, whether from a legitimate user or a malicious actor, reach the configured threshold within the specified window, the account is locked for the defined duration. During this lockout period, authentication is prohibited even if the correct credentials are provided. Cluster admins can review the account’s lockout status and manually unlock it if desired. Setting the threshold to zero disables the lockout mechanism altogether. Additionally, if failed attempts are spaced beyond the lockout window or a successful authentication occurs before the threshold is reached, the failure counter resets and no lockout is enforced.
So how does user account lockout work in practice?
- Starting with a PowerScale cluster running a fresh OneFS 9.13 install, a new user (‘testlock1’), is added to the system zone’s file provider.
# pw user add -n testlock1
- Next, the user ‘testlock1 is added to the ‘AuditAdmin’ role and the password is reset:
# isi auth roles modify AuditAdmin –add-user testlock1 # isi auth users reset-password testlock1 Z,71GGsuw,36l.XK
- The user’s lockout status can be verified as follows:
# isi auth users view testlock1 | grep -i lock Locked: No
As expected, our new ‘testlock1 file provider user’s lockout status as not locked.
Since this is a fresh 9.13 install, the user lockout parameters are still their default configuration.
# isi auth file view System | grep -i lockout Lockout Duration: Now Lockout Threshold: 0 Lockout Window: Now
As such, the lockout threshold value of ‘0’ above indicates that user account lockout is currently disabled.
- Next, the lockout-threshold is set to ‘3’, the lockout-duration to 60 seconds, and the lockout window 60 seconds too.
# isi auth file modify System --lockout-threshold=3 --lockout-duration=60 --lockout-window=60 Enabling the user lockout function may make the administrator account vulnerable to Denial of Service (DoS) attacks, potentially rendering the entire system unmanageable. Therefore, please choose the configuration values for lockout-duration and lockout-window carefully. Be cautious when setting these values: - Avoid setting lockout-duration to 0 (which means indefinitely) or a very long time, as this may result in being locked out for an extended period or even indefinitely. - Avoid setting lockout-window to 0 (which means the failed attempt count will never be reset) or a very long time, as this may require waiting too long before the failed attempt is reset or may never be reset. Additionally, to minimize the risk of Denial of Service (DoS) attacks, please configure the accounts that are excluded from the user lockout feature. Are you sure you want to proceed with this action? (yes/[no]): yes Before OneFS enables this configuration, it displays the above warning. This message warning that enabling lockout comes with the risk of DoS attacks by rendering the system unmanageable, and suggests excluding admin account(s).
- The success of the above ‘isi auth file modify’ command can be verified as follows:
# isi auth file view System | grep -i lockout Lockout Duration: 60 Lockout Threshold: 3 Lockout Window: 60
- After three attempts to log in as user ‘testlock1 with the wrong password within the lockout window of 60 seconds, this user ‘testlock1 is locked out:
login as: testlock1 Keyboard-interactive authentication prompts from server: | Password: End of keyboard-interactive prompts from server Access denied Keyboard-interactive authentication prompts from server: | Password: End of keyboard-interactive prompts from server Access denied Keyboard-interactive authentication prompts from server: | Password: End of keyboard-interactive prompts from server Access denied Keyboard-interactive authentication prompts from server: | Password: This can be verified from a cluster admin account, such as ‘root’, as follows: # isi auth users view testlock1 | grep -i lock Locked: Yes
- Since the lockout duration is also set to 60 seconds, after one minute this account will be unlocked.
Alternatively, this account can be unlocked manually by an administrator. For example:
# isi auth users view testlock1 | grep -i lock Locked: Yes # isi auth users modify testlock1 -–unlock # isi auth users view testlock1 | grep -i lock Locked: No
If a user is added to the exclusion list, the account, in this case ‘testlock1’ is automatically exempted from this lockout function. For example:
# isi_gconfig registry.Services.lsass.Parameters.Providers.File.Instance.System.LockoutExcludedUsers=’[“testlock1”]’
Note that OneFS does not check whether a user account name is valid when it is added to the exclusion list.
The lockout duration value can be specified in several ways. For example, a simple numeric value equates to seconds. For example:
# isi auth file modify System --lockout-duration=60
The above configuration will lockout for sixty seconds (one minute).
Other more convenient time period notation can also be used, such as M=minute, H=hour, D=day, W=week, etc.
For example, a two day lockout duration can be expressed as follows:
# isi auth file modify System --lockout-duration=1D
Or:
# isi auth file modify System --lockout-duration=48H
The user account lockout feature provides a configurable exclusion list, which allows certain users (eg. ‘root’ and/or ‘administrator’) to be exempted from lockout. This exclusion list is housed in gconfig, and is configured using the following ‘isi_gconfig’ CLI command permutations:
| File Provider | Action | Command |
| System | Modify | isi_gconfig registry.Services.lsass.Parameters.Providers.File.Instance.System.LockoutExcludedUsers=’[“user1”, ”user2”]’ |
| View | isi_gconfig registry.Services.lsass.Parameters.Providers.File.Instance.System.LockoutExcludedUsers | |
| Non-system | Create | isi_gconfig registry.Services.lsass.Parameters.Providers.File.Instance._key.<file_provider_name>._multi_sz.LockoutExcludedUsers._name=LockoutExcludedUsers |
| Modify | isi_gconfig registry.Services.lsass.Parameters.Providers.File.Instance._key.<file_provider_name>._multi_sz.LockoutExcludedUsers.value=’[“user3”, “user4”]’ | |
| View | isi_gconfig registry.Services.lsass.Parameters.Providers.File.Instance._key.<file_provider_name>._multi_sz.LockoutExcludedUsers |
So, for example, the syntax for adding ‘testlock1’ and ‘testlock2’ system zone user accounts to the lockout exclusion list is as follows:
# isi_gconfig registry.Services.lsass.Parameters.Providers.File.Instance.System.LockoutExcludedUsers=’[“testlock1”, ”testlock2”]’ # isi_gconfig registry.Services.lsass.Parameters.Providers.File.Instance.System.LockoutExcludedUsers registry.Services.lsass.Parameters.Providers.File.Instance.System.LockoutExcludedUsers (char**) = [ "testlock1", "testlock2" ]
Note that the system file provider exclusion list is already present by default, so there is no need for a create option. However, for a non-system zone file provider, the exclusion list needs to be created first, before it can be modified and/or viewed.
To guard against cluster admin accounts becoming inadvertently locked out, a recommended practice is generally to add ‘root’ and/or ‘administrator’ to the exclusion list. For example:
# isi_gconfig registry.Services.lsass.Parameters.Providers.File.Instance.System.LockoutExcludedUsers='["root","administrator"]' # isi_gconfig registry.Services.lsass.Parameters.Providers.File.Instance.System.LockoutExcludedUsers registry.Services.lsass.Parameters.Providers.File.Instance.System.LockoutExcludedUsers (char**) = [ "root", "administrator" ]
Also, be aware that configuring the ‘lockout duration’ parameter to ‘0’ means the account will never get unlocked automatically, so exercise caution when configuring lockout duration.