Feature #3096
Lock accounts after X failed attempts
| Status: | New | Start date: | 2009-04-01 | ||
|---|---|---|---|---|---|
| Priority: | High | Due date: | |||
| Assignee: | - | % Done: | 50% |
||
| Category: | Accounts / authentication | ||||
| Target version: | - | ||||
| Resolution: |
Description
I believe Redmine should have the functionality available to put accounts in to a locked state after so many failed login attempts. The number of failed attempts should be configurable via the Administration panel. Notification to an administrator e-mail address that the account was locked is desired as well.
I am surprised this feature has not made it in to Redmine yet. Could this be something that makes it in to a 0.9 release? I plan on exposing my Redmine instance to more than just internal folk within the next 6mo-1yr. I do not want to give any external entity the ability to brute force my password.
login_attempts.diff - probably buggy patch
(12.9 kB)
login_attempts.diff
(13.8 kB)
History
#1 Updated by Jens Goldhammer about 3 years ago
+1
#2 Updated by Maxim KruĊĦina about 3 years ago
+ function to email admin/user about locking. Also account can be optionally unlocked after some (probably configurable) period, like 1 hour...
#3 Updated by Adam Kubica about 3 years ago
+1 (failed attempts number should be configurable)
Automatic unlocking after some period might be security problem.
#4 Updated by Alexander J. Murmann about 3 years ago
+1
I also think this might be very useful.
I just started working on a patch for this.
#5 Updated by Alexander J. Murmann about 3 years ago
- % Done changed from 0 to 50
I can see the following alternatives:
- After a timeout, as suggested earlier
- Notification email contains a link that will unlock the account again
- You have to deal with an admin outside the system and he has to manually unlock it
- Go through "forgot password" and reset the password and when the password is reset the account will be unlocked.
I personally think that 2. would be best.
Any thoughts about this or other suggestions?
#6 Updated by Ben Blier about 3 years ago
#7 Updated by Alexander J. Murmann about 3 years ago
- File login_attempts.diff added
I implemented solution 2. Although if there is need it should be very easy to add an option to use 3. in addition.
Attached is a patch that should allow the admin to define a number of allowed login attempts and the address of an admin.
If a user fails to login the flash-message will show how many logins are left. If none are left the flash tells so and the account gets locked. A mail informing the provided admin address will be send. The suer will also receive a mail telling him what happened and providing a link to reactivate the account.
However since I am a bad boy I didn't write unit tests yet. So there still might be something wrong. I will provide another patch which will include tests later this week.
#8 Updated by Eric Davis about 3 years ago
Thanks Alexander. Once you add some unit tests I'll be able to take a closer look at applying this patch. From a quick glance User#authentication_failed could be cleaned up a bit. I see two calls to self.save! and no handling of their failure cases.
#9 Updated by Alexander J. Murmann about 3 years ago
- File login_attempts.diff added
I added a unit test and changed the two 'save!'s to 'save' since I could not come up with a useful way to catch a failed save.
Please let me know if and how I can improve the patch further!
#10 Updated by Michael Litton about 3 years ago
Great, I really need this.
#11 Updated by Ben Blier almost 3 years ago
I'm curious if anybody has been running this patch in their environment... What are your thoughts? Anything that could be improved?
#12 Updated by S Reid about 1 year ago
Is this still the only method to lock accounts after failed retries ? Does it work with the current version of redmine ?
#13 Updated by Nuno Duarte about 1 year ago
I believe this feature would improve a lot redmine security. Giving more confidence to me and my clients.