yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1153743] Re: giving out too much info on authenticate

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1153743@xxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Mar 2013 22:51:03 -0000
Reply-to: Bug 1153743 <1153743@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This is by design; disable debug mode to suppress the details of auth
failures from the API.

Please re-open if debug is already False.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1153743

Title:
  giving out too much info on authenticate

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  
  When I authenticate with a user that doesn't exist, Keystone tells me that the reason authentication failed is because the user doesn't exist:

  $ curl -i -H "Content-Type: application/json"  -d '{"auth":
  {"identity": { "methods": ["password"], "password": {"user": {"name":
  "user1", "password": "ofs5dac", "domain": { "name": "default"}}}}}}'
  http://localhost:35357/v3/auth/tokens

  {"error": {"message": "Could not find user: user1", "code": 401,
  "title": "Not Authorized"}}

  This is a problem because an attacker can attempt authentication with
  different user names and figure out what users exist on the system.

  Keystone should respond with a generic message about not being able to
  authenticate.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1153743/+subscriptions