#7437 closed enhancement (fixed)
[patch] Lock user after configurable number of failed login attempts
| Reported by: | Owned by: | Steffen Hoffmann | |
|---|---|---|---|
| Priority: | high | Component: | AccountManagerPlugin |
| Severity: | major | Keywords: | login retry limit |
| Cc: | John Hampton, Michael Renzmann, Ryan J Ollos | Trac Release: | 0.11 |
Description
Is it possible to add locking users after 3 failed login attemps? It should be userfull.
Attachments (2)
Change History (11)
comment:1 Changed 14 years ago by
| Type: | enhancement → task |
|---|
comment:2 Changed 14 years ago by
| Cc: | John Hampton added; anonymous removed |
|---|---|
| Keywords: | login retry limit added |
| Priority: | normal → high |
| Severity: | normal → major |
| Summary: | lock user after failed login attemps → Lock user after configurable number of failed login attempts |
| Type: | task → enhancement |
comment:3 Changed 14 years ago by
| Owner: | changed from Matt Good to Steffen Hoffmann |
|---|
Certainly this should be done.
And I guess it must be done independently of the AuthStore used, since there is no way to mark "max_login_attempts reached" and set an administrative lock within most, if not all of them.
Patch welcome.
Changed 14 years ago by
| Attachment: | fx_7437.patch added |
|---|
preview on suggested enhancement, yet somewhat incomplete
comment:4 Changed 14 years ago by
| Cc: | Michael Renzmann Ryan J Ollos added |
|---|---|
| Status: | new → assigned |
| Summary: | Lock user after configurable number of failed login attempts → [patch] Lock user after configurable number of failed login attempts |
Attached patch shows roughly what I'll come up with in absence of better code.
implemented:
- optionally limit login attempts to
login_attempt_max_count(new option, default: 0 - means no limit for hassle-free upgrade) - logging of failed login attempts to
session_attributedb table- add entries for previously authenticated users only (polluting table with lots of random user names could even cause dangerous db growth)
- remote IP address and corresponding attempt time included
- keeps latest (login_attempt_max_count + 1) entries
- show active user account lock in authentication failure error message
- optional lock timeout after
user_lock_timeoutseconds (new option, default: 0 - means unlimited locking time)- hint on configured timeout displayed in authentication failure error message as well
planned:
- remove current «graceful» lock behaviour: lock is purely cosmetic now as AccountManagerPlugin continues password checking and releases lock on next successful attempt
- visualize locked user accounts at account admin page ('users')
- provide easy lock audit functionality at user admin page, i.e. by listing recorded attempts in a pop-up window
Comments, improvements and other suggestions are appreciated to help with the final cut.
comment:5 Changed 14 years ago by
changes to previous version:
- lock behavior fixed
user_lock_timeoutrenamed touser_lock_time- exponential lock time extension added, calculation is
t_lock=user_lock_time*user_lock_time_progressionexponent user_lock_max_timeprovides upper limit on lock time growth (defaults to 1 day)
ToDo
- features for admin page as mentioned before
- some more value checking to prevent useless and potentially dangerous custom configurations
- write documentation to wiki including commented example configurations to demonstrate effects of different combinations of new options
comment:6 Changed 14 years ago by
update on development status:
core functionality is no longer extending AccountManager module directly but bundled in a new AccountGuard class instead
- user account audit information will be presented at another admin page 'details', that can't be clicked directly but requires a proper argument ('http://../details?user=<username>')
- currently locked accounts visible at admin page 'users', click-able icons leading to details page for corresponding user
- details page holds account status information and last failed login attempts log
- login page clearly reports account lock release time on login rejection
comment:7 Changed 14 years ago by
(In [9546]) AccountManagerPlugin: Introduce login attempt tracking and administative user account locking, refs #7437.
Number of previously logged failed login attempts as well as lock condition and lock behaviour are evaluated and displayed to the user. Optional exponential lock time prolongation can be used to further reduce effectivity of attempted brute-force attacks on user passwords.
comment:8 Changed 14 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
(In [9548]) AccountManagerPlugin: Add admin functions for user account locking, closes #7437.
We show information related to new account locking, but be prepared for an even richer account details view here, i.e. including information regarding password reset and account/email verification status.
comment:9 Changed 14 years ago by
(In [9555]) AccountManagerPlugin: Fix user_locked() method, refs #7437.
Just noticed, that it returned false positive «locked permanently», if account locking had been turned off by (default) configuration.
#7711 was marked as a duplicate of this one.
Limiting number of password retries is an important feature at least in cooperate applications. I suggest this should be more urgent to implement.