yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1642348] [NEW] Attack could lockout a service account

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Ron De Rose <ronald.de.rose@xxxxxxxxx>
Date: Wed, 16 Nov 2016 17:52:41 -0000
Reply-to: Bug 1642348 <1642348@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

If security_compliance lockout_failure_attempts is enabled, an attacker
could lockout a service account by repeatedly failing authentication for
that service. For example:

# export OS_USERNAME=nova
# export OS_PASSWORD=fail
# while true; do openstack token issue; done

The nova service would eventually be locked out and would fail
authentication until the lockout duration ended or an admin re-enabled
the user account.

** Affects: keystone
     Importance: Undecided
     Assignee: Ron De Rose (ronald-de-rose)
         Status: New

** Description changed:

  If security_compliance lockout_failure_attempts is enabled, an attacker
  could lockout a service account by repeatedly failing authentication for
  that service. For example:
  
  # export OS_USERNAME=nova
  # export OS_PASSWORD=fail
  # while true; do openstack token issue; done
  
- The nova service would then be locked out; would fail authentication
- until the lockout duration ended or an admin re-enabled the user
- account.
+ The nova service would eventually be locked out and would fail
+ authentication until the lockout duration ended or an admin re-enabled
+ the user account.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1642348

Title:
  Attack could lockout a service account

Status in OpenStack Identity (keystone):
  New

Bug description:
  If security_compliance lockout_failure_attempts is enabled, an
  attacker could lockout a service account by repeatedly failing
  authentication for that service. For example:

  # export OS_USERNAME=nova
  # export OS_PASSWORD=fail
  # while true; do openstack token issue; done

  The nova service would eventually be locked out and would fail
  authentication until the lockout duration ended or an admin re-enabled
  the user account.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1642348/+subscriptions

Follow ups

[Bug 1642348] Re: Attack could lockout a service account
From: OpenStack Infra, 2016-11-22