OpenStack Compute (nova)

Enable admin password complexity verification

Bug #1461431 reported by Zhenyu Zheng
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Expired
Wishlist
Unassigned
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

When performing actions such as create instances, evacuate instances, rebuild instances, rescue instances and update instances' admin password. The complexity of user provided admin password has not been verified. This can cause security problems.

One solution will be adding a configuration option: using_complex_admin_password = True, if this option is set in configure file by administrator, then Nova will perform password complexity checks, the check standards can be set to following the IT industry general standard, if the provided admin password is not complex enough, an exception will be throw. If this option is not set in configure file, then the complexity check will be skipped.

Zhenyu Zheng (zhengzhenyu)
information type: Private Security → Public Security
Zhenyu Zheng (zhengzhenyu)
information type: Public Security → Private Security
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status: New → Incomplete
information type: Private Security → Public Security
Revision history for this message
Jeremy Stanley (fungi) wrote :

When you temporarily switched this bug from private security to public security a few hours ago, it automatically E-mailed a copy of the report to the many hundreds of subscribers for Nova bugs. There was no longer any point in switching it back to private security after that, so I have reset it to public security again.

This report requests an additional security feature, a password complexity checker, and as such is squarely class D (security hardening) in our report taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

I recommend switching this to a normal public bug, marking the security advisory task "won't fix" and adding the "security" tag to indicate a potential security hardening opportunity. If there are no objections, I'll do that early next week.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Also you seem to have started a thread about this on a public mailing list, supporting the idea that you didn't intend for it to be a private bug: http://lists.openstack.org/pipermail/openstack-dev/2015-June/065600.html

Revision history for this message
Markus Zoeller (markus_z) (mzoeller) wrote :

@Zhenyu Zheng:

Just to double-check, this is not a duplicate to bug 1461433, right?

tags: added: documentation security
Revision history for this message
Zhenyu Zheng (zhengzhenyu) wrote :

@Markus Zoeller:

Yes, This one is about check user provided password and bug 1461433 is about adding a stronger symbol group for auto generated passwords. Thank you

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Agreed on class D type of bug.

Changed in ossa:
status: Incomplete → Won't Fix
Tony Breeds (o-tony)
Changed in nova:
importance: Undecided → Wishlist
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for OpenStack Compute (nova) because there has been no activity for 60 days.]

Changed in nova:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.