Re-visit decision lockout of sysadmin and keystone admin on Nx failed logins due to Denial-Of-Service considerations
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
High
|
Andy |
Bug Description
Brief Description
-----------------
We current support locking out linux users and keystone users for M minutes on Nx failed authentication attempts.
This makes sense for non-admin users.
However for admin users and especially the special 'sysadmin' linux user and the special 'admin' user of the 'admin' project, the lockout of these users can be a serious issue.
This lockout behaviour basically exposes a very simple Denial Of Service attack on StarlingX administration.
We should re-visit the decision to include sysadmin and keystone-admin as one of the users that can be locked out.
Severity
--------
<Major: System/Feature is usable but degraded>
Steps to Reproduce
------------------
Denial of service attack is to simply write a script to authenticate every 30 seconds 'sysadmin' or keystone-admin with StarlingX with incorrect password.
Will be able to deny administrative access to StarlingX.
Expected Behavior
------------------
Should NOT expose such an easy Denial Of Service Attack on StarlingX.
Actual Behavior
----------------
Should have some mechanism to prevent such a denial of service attack on sysadmin.
e.g. exclude sysadmin and keystone-admin from such lockouts,
may be other alternatives.
Reproducibility
---------------
100% reproducible
System Configuration
-------
Any
Branch/Pull Time/Commit
-------
Current load
Last Pass
---------
Never
Timestamp/Logs
--------------
NA
Test Activity
-------------
Evaluation
Workaround
----------
Believe all(?) user lockouts can be disabled.
Changed in starlingx: | |
assignee: | nobody → Andy (andy.wrs) |
Changed in starlingx: | |
importance: | Undecided → High |
status: | New → Triaged |
tags: | added: stx.4.0 stx.config stx.security |
Changed in starlingx: | |
status: | Triaged → In Progress |
tags: | added: stx.retestneeded |
tags: | removed: stx.retestneeded |
Fix proposed to branch: master /review. opendev. org/728492
Review: https:/