yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1641642] Re: users that are blacklisted for PCI support should not have failed login attempts counted

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <1641642@xxxxxxxxxxxxxxxxxx>
Date: Fri, 09 Dec 2016 05:38:11 -0000
Reply-to: Bug 1641642 <1641642@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1642348 ***
    https://bugs.launchpad.net/bugs/1642348

** This bug has been marked a duplicate of bug 1642348
   Attack could lockout a service account

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1641642

Title:
  users that are blacklisted for PCI support should not have failed
  login attempts counted

Status in OpenStack Identity (keystone):
  Confirmed

Bug description:
  The main idea behind the user ID blacklist for PCI was to allow
  service accounts to not have to change their password. As noted in
  [1], a by-product of any PCI implementation is a vulnerability to a
  DoS (a malicious user attempting to login X times and locking out a
  user). This case is worsened by the fact that openstack uses a few
  very common usernames: "nova", "admin", "service", etc.

  Since blacklisted users are already exempt from changing their
  password every Y days, then they should be equally exempt from the
  consequences of too many logins.

  [1] http://www.mattfischer.com/blog/?p=769

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1641642/+subscriptions

References

[Bug 1641642] [NEW] users that are blacklisted for PCI support should not have failed login attempts counted
From: Steve Martinelli, 2016-11-14