yahoo-eng-team team mailing list archive

Thread
Date
[Bug 996595] Re: [OSSA 2012-010] Following a password compromise and subsequent password change, tokens remain valid.

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Fri, 07 Jun 2013 15:47:11 -0000
Reply-to: Bug 996595 <996595@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Summary changed:

- Following a password compromise and subsequent password change, tokens remain valid.
+ [OSSA 2012-010] Following a password compromise and subsequent password change, tokens remain valid.

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Fix Released

** Changed in: ossa
     Assignee: (unassigned) => Thierry Carrez (ttx)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/996595

Title:
  [OSSA 2012-010] Following a password compromise and subsequent
  password change, tokens remain valid.

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone essex series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released
Status in “keystone” package in Ubuntu:
  Fix Released
Status in “keystone” source package in Precise:
  Fix Released

Bug description:
  If a password is comprimised and a user changes their password(or has it changed), 
  tokens that were issued previous to the password change remain valid. This
  not only allows an attacker to keep access to the account for the lifetime of the 
  token but they can also create new tokens before the origional token is expired 
  allowing them to hold onto access indefinatly.

  Of course knowing this an administrator could DELETE tokens individually via the API if 
  they knew the id of each one.

  
  To reproduce :

  Create an user test user (in this case id =
  ebae56e4d2114b9a994b69ac682a8d26)

  # get a token
  curl -X POST http://127.0.0.1:5000/v2.0/tokens -d '{"auth": {"tenantName":"testuser", "passwordCredentials":{"username":"testuser", "password":"password1"}}}' -H 'Content-Type: application/json'

  {"access": {"token": {"expires": "2012-05-09T14:16:39Z", "id":
  "00de15a6f8884e9ab3e518f4e416a484", "tenant": {"description":
  "testuser", "enabled": true, "id": "t18", "name": "testuser"}},
  "serviceCatalog": [{"endpoints": [{"adminURL":
  "http://localhost:8080/v1/AUTH_t18";, "region": "regionOne",
  "internalURL": "http://localhost:8080/v1/AUTH_t18";, "publicURL":
  "http://localhost:8080/v1/AUTH_t18"}], "endpoints_links": [], "type":
  "object-store", "name": "swift"}, {"endpoints": [{"adminURL":
  "http://localhost:9292/v1";, "region": "regionOne", "internalURL":
  "http://localhost:9292/v1";, "publicURL": "http://localhost:9292/v1"}],
  "endpoints_links": [], "type": "image", "name": "glance"}], "user":
  {"username": "testuser", "roles_links": [], "id":
  "ebae56e4d2114b9a994b69ac682a8d26", "roles": [{"id":
  "65f7b0195e5c401680017b263e095e16", "name": "swiftoperator"}, {"id":
  "ae1ea19f90fc46908117548d5babe6c9", "name": "admin"}], "name":
  "testuser"}}}

  # change password because of a compromise
  keystone user-password-update --pass password2 ebae56e4d2114b9a994b69ac682a8d26

  # try to get a token with old credentials
  curl -X POST http://127.0.0.1:5000/v2.0/tokens -d '{"auth": {"tenantName":"testuser", "passwordCredentials":{"username":"testuser", "password":"password1"}}}' -H 'Content-Type: application/json'

  {"error": {"message": "Invalid user / password", "code": 401, "title":
  "Not Authorized"}}

  
  # but we still have an old token that can be used with endpoints
  curl -X POST http://127.0.0.1:5000/v2.0/tokens -d '{"auth": {"tenantName":"testuser", "token":{"id":"00de15a6f8884e9ab3e518f4e416a484"}}}' -H 'Content-Type: application/json'

  {"access": {"token": {"expires": "2012-05-09T14:19:13Z", "id":
  "c5a5ebfe6b3245eba3a4f609e1526fbd", "tenant": {"description":
  "testuser", "enabled": true, "id": "t18", "name": "testuser"}},
  "serviceCatalog": [{"endpoints": [{"adminURL":
  "http://localhost:8080/v1/AUTH_t18";, "region": "regionOne",
  "internalURL": "http://localhost:8080/v1/AUTH_t18";, "publicURL":
  "http://localhost:8080/v1/AUTH_t18"}], "endpoints_links": [], "type":
  "object-store", "name": "swift"}, {"endpoints": [{"adminURL":
  "http://localhost:9292/v1";, "region": "regionOne", "internalURL":
  "http://localhost:9292/v1";, "publicURL": "http://localhost:9292/v1"}],
  "endpoints_links": [], "type": "image", "name": "glance"}], "user":
  {"username": "testuser", "roles_links": [], "id":
  "ebae56e4d2114b9a994b69ac682a8d26", "roles": [{"id":
  "65f7b0195e5c401680017b263e095e16", "name": "swiftoperator"}, {"id":
  "ae1ea19f90fc46908117548d5babe6c9", "name": "admin"}], "name":
  "testuser"}}}

  
  # disabling the user doesn't prevent the token from working either, it only appears to disable password authentication

  # NOTE : this should probably be a seperate issue i.e. disabling a
  user doesn't disable/delete tokens

  curl -X POST http://127.0.0.1:5000/v2.0/tokens -d '{"auth":
  {"tenantName":"testuser",
  "passwordCredentials":{"username":"testuser",
  "password":"password2"}}}' -H 'Content-Type: application/json'

  {"access": {"token": {"expires": "2012-05-09T14:47:24Z", "id":
  "4458c9d81d854fd098d5c799237722ba", "tenant": {"description":
  "testuser", "enabled": true, "id": "t18", "name": "testuser"}},
  "serviceCatalog": [{"endpoints": [{"adminURL":
  "http://localhost:8080/v1/AUTH_t18";, "region": "regionOne",
  "internalURL": "http://localhost:8080/v1/AUTH_t18";, "publicURL":
  "http://localhost:8080/v1/AUTH_t18"}], "endpoints_links": [], "type":
  "object-store", "name": "swift"}, {"endpoints": [{"adminURL":
  "http://localhost:9292/v1";, "region": "regionOne", "internalURL":
  "http://localhost:9292/v1";, "publicURL": "http://localhost:9292/v1"}],
  "endpoints_links": [], "type": "image", "name": "glance"}], "user":
  {"username": "testuser", "roles_links": [], "id":
  "ebae56e4d2114b9a994b69ac682a8d26", "roles": [{"id":
  "65f7b0195e5c401680017b263e095e16", "name": "swiftoperator"}, {"id":
  "ae1ea19f90fc46908117548d5babe6c9", "name": "admin"}], "name":
  "testuser"}}}

  # disable the user
  keystone user-update --enabled false ebae56e4d2114b9a994b69ac682a8d26

  # confirm
  curl -X POST http://127.0.0.1:5000/v2.0/tokens -d '{"auth": {"tenantName":"testuser", "passwordCredentials":{"username":"testuser", "password":"password2"}}}' -H 'Content-Type: application/json'

  {"error": {"message": "User has been disabled", "code": 403, "title":
  "Not Authorized"}}

  # a token can still be used
  curl -X POST http://127.0.0.1:5000/v2.0/tokens -d '{"auth": {"tenantName":"testuser", "token":{"id":"4458c9d81d854fd098d5c799237722ba"}}}' -H 'Content-Type: application/json'

  {"access": {"token": {"expires": "2012-05-09T14:47:40Z", "id":
  "935f78d7457d4e22be3b6f0ed1fe17fb", "tenant": {"description":
  "testuser", "enabled": true, "id": "t18", "name": "testuser"}},
  "serviceCatalog": [{"endpoints": [{"adminURL":
  "http://localhost:8080/v1/AUTH_t18";, "region": "regionOne",
  "internalURL": "http://localhost:8080/v1/AUTH_t18";, "publicURL":
  "http://localhost:8080/v1/AUTH_t18"}], "endpoints_links": [], "type":
  "object-store", "name": "swift"}, {"endpoints": [{"adminURL":
  "http://localhost:9292/v1";, "region": "regionOne", "internalURL":
  "http://localhost:9292/v1";, "publicURL": "http://localhost:9292/v1"}],
  "endpoints_links": [], "type": "image", "name": "glance"}], "user":
  {"username": "testuser", "roles_links": [], "id":
  "ebae56e4d2114b9a994b69ac682a8d26", "roles": [{"id":
  "65f7b0195e5c401680017b263e095e16", "name": "swiftoperator"}, {"id":
  "ae1ea19f90fc46908117548d5babe6c9", "name": "admin"}], "name":
  "testuser"}}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/996595/+subscriptions