yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1125239] Re: Username Harvesting

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1125239@xxxxxxxxxxxxxxxxxx>
Date: Thu, 07 Mar 2013 02:18:46 -0000
Reply-to: Bug 1125239 <1125239@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

You're running in debug mode :)

Set debug = false in keystone.conf and the details of authentication
failures will be suppressed.

** Changed in: keystone
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1125239

Title:
  Username Harvesting

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  It is possible to enumerate if a user exists or not via API calls.

  If a username is valid but the token is invalid you get -

  {"error": {"message": "Invalid user / password", "code": 401,
  "title": "Not Authorized"}}

  if the username does not exist you get

  {"error": {"message": "The request you have made requires
  authentication.", "code": 401, "title": "Not Authorized"}}

  
  These messages should be the same.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1125239/+subscriptions