OpenStack Identity (keystone)

Attack could lockout a service account

Bug #1642348 reported by Ron De Rose
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Ron De Rose
OpenStack Identity (keystone) ocata-2 "o2"

Bug Description

If security_compliance lockout_failure_attempts is enabled, an attacker could lockout a service account by repeatedly failing authentication for that service. For example:

# export OS_USERNAME=nova
# export OS_PASSWORD=fail
# while true; do openstack token issue; done

The nova service would eventually be locked out and would fail authentication until the lockout duration ended or an admin re-enabled the user account.

See original description
Tags: pci
Ron De Rose (ronald-de-rose)
description: updated
Revision history for this message
Steve Martinelli (stevemar) wrote :

This is the nature of PCI, I can lockout another co-worker if I know his/her username. The crux of this problem is there are well known usernames in openstack -- "admin", "nova", etc...

There are multiple ways to solve this issue.

1) Leverage the PCI blacklist -- these users are already exempt from changing their password every X days, why not exempt them from lockout via failed auth, too?

2) Make PCI configurable per-domain. The service accounts are the ones we care most about in this situation, and they will likely reside in the same domain, so enforce PCI on domainA, but not domainB. The implementation would be similar to how we do things with LDAP.

Changed in keystone:
importance: Undecided → Medium
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Is it worth suggesting that we no longer advertise "well known" accounts? I don't think this would fix the problem, but it would harden things a little bit. We could propose something to openstack-manuals that suggests generating random usernames for each service. Ultimately providing a layer of security through obscurity in addition to a proper fix - or would that be considered overkill if we just go with the blacklist route?

tags: added: pci
OpenStack Infra (hudson-openstack)
Changed in keystone:
status: New → In Progress
Steve Martinelli (stevemar)
Changed in keystone:
milestone: ocata-1 → ocata-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/398571
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f1af9451b7647b37c912629cbb97eacb5047266
Submitter: Jenkins
Branch: master

commit 4f1af9451b7647b37c912629cbb97eacb5047266
Author: Ronald De Rose <email address hidden>
Date: Wed Nov 16 20:31:35 2016 +0000

    Lockout ignore user list

    This patch adds a way for operators to ignore the lockout validation for
    specific users, such as service users.

    Closes-Bug: #1642348
    Change-Id: I9d48578bc6b4f84acbaaa4251b59ffef10d58d8e

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 11.0.0.0b2

This issue was fixed in the openstack/keystone 11.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.