Module: check_mk
Branch: master
Commit: 490e69d2a215fdd9ae8683332f6bce51987c71d2
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=490e69d2a215fd…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue May 28 12:10:47 2013 +0200
Users can now be locked after N auth failures
User accounts can now be locked after a specified amount of auth
failures (lock_on_logon_failures can be set to a number of tries
---
ChangeLog | 6 +++++-
web/htdocs/login.py | 4 ++++
web/htdocs/userdb.py | 27 +++++++++++++++++++++++++++
web/plugins/config/builtin.py | 1 +
web/plugins/wato/check_mk_configuration.py | 17 +++++++++++++++++
5 files changed, 54 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index 6854aab..1090dc4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,11 @@
1.2.3i2:
Core:
* New option -B for just generating the configuration
-
+
+ Multisite:
+ * User accounts can now be locked after a specified amount of auth
+ failures (lock_on_logon_failures can be set to a number of tries)
+
Checks & Agents:
* lnx_if: Fixed crash on missing "Address" field
* viprinet_router: Now able to set required target state via rule
diff --git a/web/htdocs/login.py b/web/htdocs/login.py
index 4c4d7b6..f6f1451 100644
--- a/web/htdocs/login.py
+++ b/web/htdocs/login.py
@@ -183,6 +183,9 @@ def do_login():
# False -> failed
result = userdb.hook_login(username, password)
if result:
+ # reset failed login counts
+ userdb.on_succeeded_login(username)
+
username = result
# The login succeeded! Now:
# a) Set the auth cookie
@@ -207,6 +210,7 @@ def do_login():
return (username, origtarget)
else:
+ userdb.on_failed_login(username)
raise MKUserError(None, _('Invalid credentials.'))
except MKUserError, e:
html.add_user_error(e.varname, e.message)
diff --git a/web/htdocs/userdb.py b/web/htdocs/userdb.py
index 8b836b1..2c4f043 100644
--- a/web/htdocs/userdb.py
+++ b/web/htdocs/userdb.py
@@ -118,7 +118,24 @@ def user_locked(username):
users = load_users()
return users[username].get('locked', False)
+def on_succeeded_login(username):
+ users = load_users()
+ if "num_failed" in users[username]:
+ users[username]["num_failed"] = 0
+ save_users(users)
+
+def on_failed_login(username):
+ users = load_users()
+ if "num_failed" in users[username]:
+ users[username]["num_failed"] += 1
+ else:
+ users[username]["num_failed"] = 1
+ if config.lock_on_logon_failures:
+ if users[username]["num_failed"] >= config.lock_on_logon_failures:
+ users[username]["locked"] = True
+
+ save_users(users)
root_dir = defaults.check_mk_configdir + "/wato/"
multisite_dir = defaults.default_config_dir + "/multisite.d/wato/"
@@ -248,6 +265,11 @@ def load_users():
if d[0] != '.':
id = d
+ # read failed login counts
+ failed_file = dir + d + '/num_failed.mk'
+ if id in result and os.path.exists(failed_file):
+ result[id]['num_failed'] = int(file(failed_file).read().strip())
+
# read automation secrets and add them to existing
# users or create new users automatically
secret_file = dir + d + "/automation.secret"
@@ -279,6 +301,7 @@ def save_users(profiles):
"language",
"serial",
"connector",
+ "num_failed",
] + custom_values
# Keys to put into multisite configuration
@@ -347,6 +370,10 @@ def save_users(profiles):
serial_file = user_dir + '/serial.mk'
create_user_file(serial_file, 'w').write('%d\n' % user.get('serial', 0))
+ # Write out the users number of failed login
+ failed_file = user_dir + '/num_failed.mk'
+ create_user_file(failed_file, 'w').write('%d\n' % user.get('num_failed', 0))
+
# Remove settings directories of non-existant users.
# Beware: we removed this since it leads to violent destructions
# if the user database is out of the scope of Check_MK. This is
diff --git a/web/plugins/config/builtin.py b/web/plugins/config/builtin.py
index 2962f3a..8011c12 100644
--- a/web/plugins/config/builtin.py
+++ b/web/plugins/config/builtin.py
@@ -191,3 +191,4 @@ ldap_debug_log = None
default_user_profile = {
'roles': ['user'],
}
+lock_on_logon_failures = False
diff --git a/web/plugins/wato/check_mk_configuration.py b/web/plugins/wato/check_mk_configuration.py
index 1f5992b..f16ac04 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -567,6 +567,23 @@ register_configvar(group,
"containing details about connecting to LDAP and the single transactions.")),
domain = "multisite")
+register_configvar(group,
+ "lock_on_logon_failures",
+ Optional(
+ Integer(
+ label = _("Number of logon failures to lock the account"),
+ default_value = 3,
+ minvalue = 1,
+ ),
+ none_value = False,
+ title = _("Lock user accounts after N logon failures"),
+ label = _("Activate automatic locking of user accounts"),
+ help = _("This options enables automatic locking of user account after "
+ "N logon failures. One successful login resets the failure counter.")
+ ),
+ domain = "multisite"
+)
+
def list_roles():
roles = userdb.load_roles()