StarlingX

Re-visit decision lockout of sysadmin and keystone admin on Nx failed logins due to Denial-Of-Service considerations

Bug #1877179 reported by Greg Waines
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Andy

Bug Description

Brief Description
-----------------
We current support locking out linux users and keystone users for M minutes on Nx failed authentication attempts.

This makes sense for non-admin users.

However for admin users and especially the special 'sysadmin' linux user and the special 'admin' user of the 'admin' project, the lockout of these users can be a serious issue.

This lockout behaviour basically exposes a very simple Denial Of Service attack on StarlingX administration.

We should re-visit the decision to include sysadmin and keystone-admin as one of the users that can be locked out.

Severity
--------
<Major: System/Feature is usable but degraded>

Steps to Reproduce
------------------
Denial of service attack is to simply write a script to authenticate every 30 seconds 'sysadmin' or keystone-admin with StarlingX with incorrect password.

Will be able to deny administrative access to StarlingX.

Expected Behavior
------------------
Should NOT expose such an easy Denial Of Service Attack on StarlingX.

Actual Behavior
----------------
Should have some mechanism to prevent such a denial of service attack on sysadmin.
e.g. exclude sysadmin and keystone-admin from such lockouts,
     may be other alternatives.

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
Current load

Last Pass
---------
Never

Timestamp/Logs
--------------
NA

Test Activity
-------------
Evaluation

 Workaround
 ----------
 Believe all(?) user lockouts can be disabled.

Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → High
status: New → Triaged
tags: added: stx.4.0 stx.config stx.security
Ghada Khalil (gkhalil)
Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/728492

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/728493

Revision history for this message
Andy (andy.wrs) wrote :

For sysadmin OS user, it can be locked out only when it is used to ssh to the system, and when it is the "su" target user. The failed auth lockout is imposed by the pam tally2 module which is configured to be used by sshd and su. Once configured the rule applies to all users, there is no way to exempt an particular user (other than root) from the rule.

From security point of view, imposing failed auth locked out and unlock it for a short period of time (5 min in current configuration) is a balance between scenarios where, on one side not letting unlimited login attempts, and on the other side not preventing the user login for too long after lockout (thus impact system administration tasks).

So it is decided that we keep the current failed auth lockout rule for sysadmin.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to utilities (master)

Fix proposed to branch: master
Review: https://review.opendev.org/730834

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on config (master)

Change abandoned by Andy Ning (<email address hidden>) on branch: master
Review: https://review.opendev.org/728493
Reason: The admin user option setting has been relocated to keystone bootstrap, so no change is needed on sysinv.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to utilities (master)

Reviewed: https://review.opendev.org/730834
Committed: https://git.openstack.org/cgit/starlingx/utilities/commit/?id=12b7504a0a01fc3c74aa9f74f788422d8ecf45ee
Submitter: Zuul
Branch: master

commit 12b7504a0a01fc3c74aa9f74f788422d8ecf45ee
Author: Andy Ning <email address hidden>
Date: Tue May 26 10:03:32 2020 -0400

    Install set keystone user option scripts

    This commit packs set_keystone_user_option.sh in platform-util rpm and
    install it in /usr/local/bin directory. The scripts can be used to set
    keystone user options such as "ignore_lockout_failure_attempts". It is
    currently used by keystone openstack::user::option puppet class to set
    admin user's "ignore_lockout_failure_attempts" to true to exempt it
    from auth fail lockout rule.

    Change-Id: I479cf2abb71fc57707d618d1cd110caf58d43394
    Closes-Bug: 1877179
    Signed-off-by: Andy Ning <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/728492
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=fc09081f3de121c4a8eb8fa0048384e6ae2d5ba9
Submitter: Zuul
Branch: master

commit fc09081f3de121c4a8eb8fa0048384e6ae2d5ba9
Author: Andy Ning <email address hidden>
Date: Fri May 15 11:38:03 2020 -0400

    Exempt keystone admin user from auth faillockout

    keystone is configured to lock the user account if it fails
    5 consecutive authentication attempts. But this can also be used
    by DoS type of attack. This commit introduced a keystone user option
    puppet class that will be called during keystone bootstrap to exclude
    admin user from the faillockout rule.

    The keystone user option class uses a custom scripts that makes a PATCH
    REST API call to keystone to update admin user's
    'ignore_lockout_failure_attempts' option to exempt it from the
    fail lockout rule.

    Change-Id: Ie01476a98e1157d2fac44ea4f137e611d6f5ff04
    Depends-On: https://review.opendev.org/#/c/730834/
    Closes-Bug: 1877179
    Signed-off-by: Andy Ning <email address hidden>

Ghada Khalil (gkhalil)
tags: added: stx.retestneeded
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/762919

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to utilities (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/c/starlingx/utilities/+/792213

Ghada Khalil (gkhalil)
tags: removed: stx.retestneeded
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.