From 64b74211bb2ba85805c577232f5abd5f33ea115e Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 11 Jul 2023 15:49:15 -0700
Subject: [PATCH] Manual backport of user lock updates to 1.13.x branch
 (#21766)

---
 CHANGELOG.md                                      |  1 +
 .../content/docs/upgrading/upgrade-to-1.13.x.mdx  | 15 ++++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6c26113474..16dad04d3c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,6 +25,7 @@ Plugins using sdk/useragent.String must instead use sdk/useragent.PluginString.
 
 FEATURES:
 
+* **User lockout**: Ignore repeated bad credentials from the same user for a configured period of time. Enabled by default.
 * **New PKI UI**: Add beta support for new and improved PKI UI [[GH-18842](https://github.com/hashicorp/vault/pull/18842)]
 * **Server UDS Listener**: Adding listener to Vault server to serve http request via unix domain socket [[GH-18227](https://github.com/hashicorp/vault/pull/18227)]
 * **Transit managed keys**: The transit secrets engine now supports configuring and using managed keys
diff --git a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
index 95329d127f..30e4b75cc3 100644
--- a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
@@ -15,7 +15,20 @@ for Vault 1.13.x compared to 1.12. Please read it carefully.
 
 @include 'consul-dataplane-upgrade-note.mdx'
 
-### Active Directory Secrets Engine Deprecation
+### User lockout
+
+As of version 1.13, Vault will stop trying to validate user credentials if the
+user submits multiple invalid credentials in quick succession. During lockout,
+Vault ignores requests from the barred user rather than responding with a 
+permission denied error.
+
+User lockout is enabled by default with a lockout threshold of 5 attempt, a
+lockout duration of 15 minutes, and a counter reset window of 15 minutes.
+
+For more information, refer to the [User lockout](/vault/docs/concepts/user-lockout)
+overview.
+
+### Active directory secrets engine deprecation
 
 The Active Directory (AD) secrets engine has been deprecated as of the Vault 1.13 release.
 We will continue to support the AD secrets engine in maintenance mode for six major Vault