yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1642348] Re: Attack could lockout a service account

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1642348@xxxxxxxxxxxxxxxxxx>
Date: Tue, 22 Nov 2016 10:18:46 -0000
Reply-to: Bug 1642348 <1642348@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/398571
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f1af9451b7647b37c912629cbb97eacb5047266
Submitter: Jenkins
Branch:    master

commit 4f1af9451b7647b37c912629cbb97eacb5047266
Author: Ronald De Rose <ronald.de.rose@xxxxxxxxx>
Date:   Wed Nov 16 20:31:35 2016 +0000

    Lockout ignore user list
    
    This patch adds a way for operators to ignore the lockout validation for
    specific users, such as service users.
    
    Closes-Bug: #1642348
    Change-Id: I9d48578bc6b4f84acbaaa4251b59ffef10d58d8e


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1642348

Title:
  Attack could lockout a service account

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  If security_compliance lockout_failure_attempts is enabled, an
  attacker could lockout a service account by repeatedly failing
  authentication for that service. For example:

  # export OS_USERNAME=nova
  # export OS_PASSWORD=fail
  # while true; do openstack token issue; done

  The nova service would eventually be locked out and would fail
  authentication until the lockout duration ended or an admin re-enabled
  the user account.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1642348/+subscriptions

References

[Bug 1642348] [NEW] Attack could lockout a service account
From: Ron De Rose, 2016-11-16