Modify

Opened 14 years ago

Closed 14 years ago

Last modified 14 years ago

#7437 closed enhancement (fixed)

[patch] Lock user after configurable number of failed login attempts

Reported by: Aliaksandr Salenka <sem7777@…> Owned by: Steffen Hoffmann
Priority: high Component: AccountManagerPlugin
Severity: major Keywords: login retry limit
Cc: John Hampton, Michael Renzmann, Ryan J Ollos Trac Release: 0.11

Description

Is it possible to add locking users after 3 failed login attemps? It should be userfull.

Attachments (2)

fx_7437.patch (11.0 KB) - added by Steffen Hoffmann 14 years ago.
preview on suggested enhancement, yet somewhat incomplete
fx_7437.2.patch (41.9 KB) - added by Steffen Hoffmann 14 years ago.
improved version

Download all attachments as: .zip

Change History (11)

comment:1 Changed 14 years ago by anonymous

Type: enhancementtask

comment:2 Changed 14 years ago by Steffen Hoffmann

Cc: John Hampton added; anonymous removed
Keywords: login retry limit added
Priority: normalhigh
Severity: normalmajor
Summary: lock user after failed login attempsLock user after configurable number of failed login attempts
Type: taskenhancement

#7711 was marked as a duplicate of this one.

Limiting number of password retries is an important feature at least in cooperate applications. I suggest this should be more urgent to implement.

comment:3 Changed 14 years ago by Steffen Hoffmann

Owner: changed from Matt Good to Steffen Hoffmann

Certainly this should be done.

And I guess it must be done independently of the AuthStore used, since there is no way to mark "max_login_attempts reached" and set an administrative lock within most, if not all of them.

Patch welcome.

Changed 14 years ago by Steffen Hoffmann

Attachment: fx_7437.patch added

preview on suggested enhancement, yet somewhat incomplete

comment:4 Changed 14 years ago by Steffen Hoffmann

Cc: Michael Renzmann Ryan J Ollos added
Status: newassigned
Summary: Lock user after configurable number of failed login attempts[patch] Lock user after configurable number of failed login attempts

Attached patch shows roughly what I'll come up with in absence of better code.

implemented:

  • optionally limit login attempts to login_attempt_max_count (new option, default: 0 - means no limit for hassle-free upgrade)
  • logging of failed login attempts to session_attribute db table
    • add entries for previously authenticated users only (polluting table with lots of random user names could even cause dangerous db growth)
    • remote IP address and corresponding attempt time included
    • keeps latest (login_attempt_max_count + 1) entries
  • show active user account lock in authentication failure error message
  • optional lock timeout after user_lock_timeout seconds (new option, default: 0 - means unlimited locking time)
    • hint on configured timeout displayed in authentication failure error message as well

planned:

  • remove current «graceful» lock behaviour: lock is purely cosmetic now as AccountManagerPlugin continues password checking and releases lock on next successful attempt
  • visualize locked user accounts at account admin page ('users')
  • provide easy lock audit functionality at user admin page, i.e. by listing recorded attempts in a pop-up window

Comments, improvements and other suggestions are appreciated to help with the final cut.

Changed 14 years ago by Steffen Hoffmann

Attachment: fx_7437.2.patch added

improved version

comment:5 Changed 14 years ago by Steffen Hoffmann

changes to previous version:

  • lock behavior fixed
  • user_lock_timeout renamed to user_lock_time
  • exponential lock time extension added, calculation is t_lock = user_lock_time * user_lock_time_progression exponent
  • user_lock_max_time provides upper limit on lock time growth (defaults to 1 day)

ToDo

  • features for admin page as mentioned before
  • some more value checking to prevent useless and potentially dangerous custom configurations
  • write documentation to wiki including commented example configurations to demonstrate effects of different combinations of new options

comment:6 Changed 14 years ago by Steffen Hoffmann

update on development status:

core functionality is no longer extending AccountManager module directly but bundled in a new AccountGuard class instead

  • user account audit information will be presented at another admin page 'details', that can't be clicked directly but requires a proper argument ('http://../details?user=<username>')
  • currently locked accounts visible at admin page 'users', click-able icons leading to details page for corresponding user
  • details page holds account status information and last failed login attempts log
  • login page clearly reports account lock release time on login rejection

comment:7 Changed 14 years ago by Steffen Hoffmann

(In [9546]) AccountManagerPlugin: Introduce login attempt tracking and administative user account locking, refs #7437.

Number of previously logged failed login attempts as well as lock condition and lock behaviour are evaluated and displayed to the user. Optional exponential lock time prolongation can be used to further reduce effectivity of attempted brute-force attacks on user passwords.

comment:8 Changed 14 years ago by Steffen Hoffmann

Resolution: fixed
Status: assignedclosed

(In [9548]) AccountManagerPlugin: Add admin functions for user account locking, closes #7437.

We show information related to new account locking, but be prepared for an even richer account details view here, i.e. including information regarding password reset and account/email verification status.

comment:9 Changed 14 years ago by Steffen Hoffmann

(In [9555]) AccountManagerPlugin: Fix user_locked() method, refs #7437.

Just noticed, that it returned false positive «locked permanently», if account locking had been turned off by (default) configuration.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.