Introduction
User Lockout is a new feature added in Vault 1.13.0 designed to prevent Brute Forcing of credentials across three initial Auth Methods, that are UserPass, Ldap, and Approle. If a user provides incorrect credentials several times in a row, Vault will stop trying to validate their credentials for a predefined period of time and instead return an error indicating permission denied.
Configuration
The user lockout feature is enabled by default with Vault 1.13.0. The following are the available parameters with default values for this feature:
| Parameter Name | Default Value | Description |
| -user-lockout-threshold | string: "5" | The number of failed login attempts before the user is locked out. |
| -user-lockout-duration | string: "15m" | Specifies how long a user will be locked out for. |
| -user-lockout-counter-reset-duration | string: "15m" | Specifies the time after which the lockout counter is reset if no failed login attempts have occurred |
| -user-lockout-disable | bool:false | If set to true, disables the user lockout feature |
Lets understand the parameters defined above with scenarios:
Assume we define a user lockout threshold of 5, lockout duration of 10 minutes and lockout reset counter of 15 minutes.
Scenario 1:Assume we have 4 failed logins and the user attempts another failed login (5th attempt), the user will be locked out for 10 minutes. After this 10 minutes lockout duration, the user will be unlocked and will be able to login.
Scenario 2: Consider we've had four failed logins and the user hasn't attempted to log in for 15 minutes. The user's lockout counter is reset in this case.The lockout counter will be reset only for unlocked users, not locked users.
#By default we will not able to see the default values of user lockout parameter until we change it
root@vaults0:/home/vagrant# vault read sys/auth/userpass/tune
#Key Value
#--- -----
#default_lease_ttl 768h
#description n/a
#force_no_cache false
#max_lease_ttl 768h
#token_type default-service
#Let's override the -user-lockout-disable parameter value to false which is false bydefault
root@vaults0:/home/vagrant# vault auth tune -user-lockout-disable=false /userpass
#Success! Tuned the auth method at: userpass/
#Here it is showing the default values that are defined above and it will change once we change these values by ourselves.
root@vaults0:/home/vagrant# vault read sys/auth/userpass/tune
#Key Value
#--- -----
#default_lease_ttl 768h
#description n/a
#force_no_cache false
#max_lease_ttl 768h
#token_type default-service
#user_lockout_counter_reset_duration 0s
#user_lockout_disable false
#user_lockout_duration 0s
#user_lockout_threshold 0
The following is the order of precedence for user lockout configuration:
Configuration for an auth mount using tune >> Configuration for an auth method in config file >> Configuration for "all" auth methods in config file >> Default values.
The precedence for disable user lockout is as follows:
Disable using environment variable VAULT_DISABLE_USER_LOCKOUT >> Configuration for an auth mount using tune >> Configuration for an auth method in config file >> Configuration for "all" auth methods in config file >> Default values.
#Disable user lockout feature for all three auth methods i.e., Userpass, Ldap, Approle by
#exporting the env variable
root@vaults0:/home/vagrant# export VAULT_DISABLE_USER_LOCKOUT="true"
#If we want to disable a single auth method(type: userpass, approle, ldap), set -user-lockout-disable="true"
root@vaults0:/home/vagrant# vault auth tune -user-lockout-disable="true" /userpass
#Success! Tuned the auth method at: userpass/
How to list the Locked Users:
We can list the locked users from CLI and API. The commands return a list of locked users from the current namespace as well as from its all child namespaces
#We can list the locked users from CLI and via API
#CLI Command
#Below command give the list of locked users from current namespace + all of its child namespace for all auth mount accessor
vault read /sys/locked-users
#Below command give the list of locked users from specific mount accessor only
vault read /sys/locked-users mount_accessor=$auth_mount_accessor
#Equivalent API calls for the above CLI commands
curl --header "X-Vault-Token: $VAULT_TOKEN" -H "X-Vault-Namespace: root/" --request GET http://localhost:8200/v1/sys/locked-users | jq
curl --header "X-Vault-Token: $VAULT_TOKEN" -H "X-Vault-Namespace: root/" --request GET http://localhost:8200/v1/sys/locked-users?mount_accessor=auth_userpass_16ec4b33 | jq
How to unlock the Locked Users:
We can unlock the users via CLI and API. For unlocking the users we have to provide mount_accessor and alias_identifier in the commands. This command is idempotent, which means it can be executed even if the user with the specified mount_accessor and alias_identifier is not locked.
| Auth Methods | alias_identifier |
| UserPass | username |
| LDAP | username |
| Approle | role_id |
#Commands to unlock the users
#CLI Command
vault write -force /sys/locked-users/$mount_accessor/unlock/$alias-identifier
#Equivalent API calla for the above CLI command
curl --header "X-Vault-Token: $VAULT_TOKEN" --header "X-Vault-Namespace: root/" --request POST http://localhost:8200/v1/sys/locked-users/$mount_accessor/unlock/$alias-identifier
Error that we get after user locked in the audit log
| Auth Method | Inputs | Alias_identifier | Error Returned |
| Approle | role_id, secret_id | role_id |
Until user threshold not reached:- invalid secret_id , http error code: 500 At the time of UserLocked:- * permission denied, http error code: 403 |
| Ldap | username, password | username |
Until user threshold not reached:- ldap bind failed, ldap operation failed, error="LDAP Result Code 49 \"Invalid Credentials\" (in operational logs), http code: 204 No Content At the time of UserLocked:- * permission denied, http error code: 403 |
| Userpass | username, password | username |
Until user threshold not reached:- * invalid username or password, http error code: 500 At the time of UserLocked:-* permission denied, http error code: 403 |