OpenStack Identity (keystone)

  1. Bug #1279750
  2. Comment #0

Comment 0 for bug 1279750

Revision history for this message
Abu Shohel Ahmed (shohel-csdu) wrote : input validation problem in authentication front end

Currently, username/password authentication mechanism has input length validation checker in keystone/token/controllers.py

def _authenticate_local(self, context, auth):

      ...
      password = auth['passwordCredentials']['password']
      if password and len(password) > CONF.identity.max_password_length:

      ...

     if user_id and len(user_id) > CONF.max_param_size:
     ...

     if len(username) > CONF.max_param_size:

where by default, keystone.conf set identity.max_password_length to 4096 and max_param_size to 64
whereas in user db schema, password len is 128, user_id is 64 and username is 255.

This has security implications, even through the front tier can invalidate the auth parameters due to length mismatch, with
the current setup the request will proceed to a query to the backend and then a possible mismatch. Creates an unnecessary load to the backend.