Ticket #7437 (closed enhancement: fixed)

Opened 3 years ago

Last modified 2 years ago

[patch] Lock user after configurable number of failed login attempts

Reported by: Aliaksandr Salenka, sem7777@gmail.com Assigned to: hasienda
Priority: high Component: AccountManagerPlugin
Severity: major Keywords: login retry limit
Cc: pacopablo, otaku42, rjollos Trac Release: 0.11

Description

Is it possible to add locking users after 3 failed login attemps? It should be userfull.

Attachments

fx_7437.patch (11.0 kB) - added by hasienda on 11/01/10 00:31:43.
preview on suggested enhancement, yet somewhat incomplete
fx_7437.2.patch (41.9 kB) - added by hasienda on 11/04/10 00:56:22.
improved version

Change History

07/30/10 15:55:41 changed by anonymous

  • type changed from enhancement to task.

09/26/10 11:13:55 changed by hasienda

  • severity changed from normal to major.
  • cc set to pacopablo.
  • summary changed from lock user after failed login attemps to Lock user after configurable number of failed login attempts.
  • priority changed from normal to high.
  • keywords set to login retry limit.
  • type changed from task to enhancement.

#7711 was marked as a duplicate of this one.

Limiting number of password retries is an important feature at least in cooperate applications. I suggest this should be more urgent to implement.

10/04/10 23:55:30 changed by hasienda

  • owner changed from mgood to hasienda.

Certainly this should be done.

And I guess it must be done independently of the AuthStore used, since there is no way to mark "max_login_attempts reached" and set an administrative lock within most, if not all of them.

Patch welcome.

11/01/10 00:31:43 changed by hasienda

  • attachment fx_7437.patch added.

preview on suggested enhancement, yet somewhat incomplete

11/01/10 01:09:09 changed by hasienda

  • status changed from new to assigned.
  • cc changed from pacopablo to pacopablo, otaku42, rjollos.
  • summary changed from Lock user after configurable number of failed login attempts to [patch] Lock user after configurable number of failed login attempts.

Attached patch shows roughly what I'll come up with in absence of better code.

implemented:

  • optionally limit login attempts to login_attempt_max_count (new option, default: 0 - means no limit for hassle-free upgrade)
  • logging of failed login attempts to session_attribute db table
    • add entries for previously authenticated users only (polluting table with lots of random user names could even cause dangerous db growth)
    • remote IP address and corresponding attempt time included
    • keeps latest (login_attempt_max_count + 1) entries
  • show active user account lock in authentication failure error message
  • optional lock timeout after user_lock_timeout seconds (new option, default: 0 - means unlimited locking time)
    • hint on configured timeout displayed in authentication failure error message as well

planned:

  • remove current «graceful» lock behaviour: lock is purely cosmetic now as AccountManagerPlugin continues password checking and releases lock on next successful attempt
  • visualize locked user accounts at account admin page ('users')
  • provide easy lock audit functionality at user admin page, i.e. by listing recorded attempts in a pop-up window

Comments, improvements and other suggestions are appreciated to help with the final cut.

11/04/10 00:56:22 changed by hasienda

  • attachment fx_7437.2.patch added.

improved version

11/04/10 01:16:25 changed by hasienda

changes to previous version:

  • lock behavior fixed
  • user_lock_timeout renamed to user_lock_time
  • exponential lock time extension added, calculation is t_lock = user_lock_time * user_lock_time_progression ** exponent
  • user_lock_max_time provides upper limit on lock time growth (defaults to 1 day)

ToDo

  • features for admin page as mentioned before
  • some more value checking to prevent useless and potentially dangerous custom configurations
  • write documentation to wiki including commented example configurations to demonstrate effects of different combinations of new options

11/25/10 22:55:15 changed by hasienda

update on development status:

core functionality is no longer extending AccountManager module directly but bundled in a new AccountGuard class instead

  • user account audit information will be presented at another admin page 'details', that can't be clicked directly but requires a proper argument ('http://../details?user=<username>')
  • currently locked accounts visible at admin page 'users', click-able icons leading to details page for corresponding user
  • details page holds account status information and last failed login attempts log
  • login page clearly reports account lock release time on login rejection

11/29/10 00:58:05 changed by hasienda

(In [9546]) AccountManagerPlugin: Introduce login attempt tracking and administative user account locking, refs #7437.

Number of previously logged failed login attempts as well as lock condition and lock behaviour are evaluated and displayed to the user. Optional exponential lock time prolongation can be used to further reduce effectivity of attempted brute-force attacks on user passwords.

11/29/10 01:02:35 changed by hasienda

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [9548]) AccountManagerPlugin: Add admin functions for user account locking, closes #7437.

We show information related to new account locking, but be prepared for an even richer account details view here, i.e. including information regarding password reset and account/email verification status.

11/29/10 22:31:57 changed by hasienda

(In [9555]) AccountManagerPlugin: Fix user_locked() method, refs #7437.

Just noticed, that it returned false positive «locked permanently», if account locking had been turned off by (default) configuration.

Add/Change #7437 ([patch] Lock user after configurable number of failed login attempts)




Change Properties
Action