Keystone isn't acting on consecutive failed logins
Bug #963098 reported by
Ionuț Arțăriși
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Opinion
|
Wishlist
|
Rafael Durán Castañeda |
Bug Description
Trying to login to the dashboard web interface and failing causes no special action no matter how many times it's attempted.
Malicious users could abuse this in order to try to guess logins and passwords.
This could be prevented by a delay or a capcha after the first few failed login attempts.
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in keystone: | |
milestone: | none → folsom-1 |
tags: | added: blueprint |
Changed in keystone: | |
assignee: | nobody → Rafael Durán Castañeda (rafadurancastaneda) |
To post a comment you must log in.
What you describe is piece of a larger issue. Even if we put these measures in place in Horizon, it would do nothing to prevent someone from using command line tools to accomplish the same end. I'll reword this case to reflect that.