OpenStack Identity (keystone)

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #1688137
Comment #16

Comment 16 for bug 1688137

Revision history for this message

Gage Hugo (gagehugo) wrote on 2018-07-26: Re: Attacker may use PCI-DSS 8.1.6 and 8.1.7 to lock out users indefinitely

#16

pci-dss-rocky.patch Edit (5.0 KiB, text/plain)

Formatted the change from comment #12. I had to make an adjustment however, as a "reason" field was added to the audit notifications since this was reported I believe, which caused the notification to send a failure with no reason (Unauthorized) rather than AccountLocked. Please take a look to make sure this is correct.

The evasive-mode lockout from http://www.metzdowd.com/pipermail/cryptography/2017-August/032640.html was an interesting idea, perhaps that could be investigated in the future.