Feature #3096

Lock accounts after X failed attempts

Added by Ben Blier over 8 years ago. Updated over 2 years ago.

Status:NewStart date:2009-04-01
Priority:HighDue date:
Assignee:-% Done:

50%

Category:Accounts / authentication
Target version:-
Resolution:

Description

I believe Redmine should have the functionality available to put accounts in to a locked state after so many failed login attempts. The number of failed attempts should be configurable via the Administration panel. Notification to an administrator e-mail address that the account was locked is desired as well.

I am surprised this feature has not made it in to Redmine yet. Could this be something that makes it in to a 0.9 release? I plan on exposing my Redmine instance to more than just internal folk within the next 6mo-1yr. I do not want to give any external entity the ability to brute force my password.

login_attempts.diff Magnifier - probably buggy patch (12.9 KB) Alexander J. Murmann, 2009-04-13 05:25

login_attempts.diff Magnifier (13.8 KB) Alexander J. Murmann, 2009-04-27 04:26


Related issues

Related to Redmine - Feature #3155: Password policy and secure logon procedure New 2009-04-10

History

#1 Updated by Jens Goldhammer over 8 years ago

+1

#2 Updated by Maxim Krušina over 8 years ago

+ function to email admin/user about locking. Also account can be optionally unlocked after some (probably configurable) period, like 1 hour...

#3 Updated by Adam Kubica over 8 years ago

+1 (failed attempts number should be configurable)

Automatic unlocking after some period might be security problem.

#4 Updated by Alexander J. Murmann over 8 years ago

+1
I also think this might be very useful.
I just started working on a patch for this.

#5 Updated by Alexander J. Murmann over 8 years ago

  • % Done changed from 0 to 50
I am almost done with the patch but was wondering how accounts should be unlocked.
I can see the following alternatives:
  1. After a timeout, as suggested earlier
  2. Notification email contains a link that will unlock the account again
  3. You have to deal with an admin outside the system and he has to manually unlock it
  4. Go through "forgot password" and reset the password and when the password is reset the account will be unlocked.

I personally think that 2. would be best.

Any thoughts about this or other suggestions?

#6 Updated by Ben Blier over 8 years ago

#4 isn't a viable option since my LDAP is read-only and I don't even know if "Forgot password" works with LDAP (probably not).

It would be best if the admin is given the option to configure #1, #2, or #3, but I'll take either #2 or #3.

#7 Updated by Alexander J. Murmann over 8 years ago

I implemented solution 2. Although if there is need it should be very easy to add an option to use 3. in addition.

Attached is a patch that should allow the admin to define a number of allowed login attempts and the address of an admin.
If a user fails to login the flash-message will show how many logins are left. If none are left the flash tells so and the account gets locked. A mail informing the provided admin address will be send. The suer will also receive a mail telling him what happened and providing a link to reactivate the account.

However since I am a bad boy I didn't write unit tests yet. So there still might be something wrong. I will provide another patch which will include tests later this week.

#8 Updated by Eric Davis over 8 years ago

Thanks Alexander. Once you add some unit tests I'll be able to take a closer look at applying this patch. From a quick glance User#authentication_failed could be cleaned up a bit. I see two calls to self.save! and no handling of their failure cases.

#9 Updated by Alexander J. Murmann over 8 years ago

I added a unit test and changed the two 'save!'s to 'save' since I could not come up with a useful way to catch a failed save.

Please let me know if and how I can improve the patch further!

#10 Updated by Michael Litton over 8 years ago

Great, I really need this.

#11 Updated by Ben Blier over 8 years ago

I'm curious if anybody has been running this patch in their environment... What are your thoughts? Anything that could be improved?

#12 Updated by S Reid over 6 years ago

Is this still the only method to lock accounts after failed retries ? Does it work with the current version of redmine ?

#13 Updated by Nuno Duarte over 6 years ago

I believe this feature would improve a lot redmine security. Giving more confidence to me and my clients.

#14 Updated by @ go2null over 2 years ago

duplicate of #3155

#15 Updated by Mischa The Evil over 2 years ago

@ go2null wrote:

duplicate of #3155

Not completely. #3155 is older than this issue and it is much more generic, while this issue is specific to one requested change. So I'll add a relation, but won't close this one as duplicate.

#16 Updated by Mischa The Evil over 2 years ago

  • Related to Feature #3155: Password policy and secure logon procedure added

Also available in: Atom PDF