yahoo-eng-team team mailing list archive

[Gage Hugo <1901902@xxxxxxxxxxxxxxxxxx>]

This is by design. The change user password API does not require a
token, mostly due to a user requiring an administrator to reset their
password if it expires since they cannot authenticate for a token.

If an attacker gets a username and password, having a token required to
change a password won't really provide any additional security here,
they can already login/authenticate as that user.

That pci-dss bug has a change in flight to no longer expose the
accountlocked exception to users, which should prevent the username
oracle issue.

** Information type changed from Private Security to Public

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1901902

Title:
  Authtoken not used when changing password through CLI

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  There is no valid X-Auth-Token needed when changing the password of a
  user. The authentication only depends on ID and original password:

  POST /identity/v3/users/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/password HTTP/1.1
  Host: xxx.xxx.xxx.xxx
  User-Agent: python-keystoneclient
  Content-Length: 76

  {"user": {"password": "Password1234!", "original_password":
  "Password123!"}}

  The CLI adds an X-Auth-Token, but when removing it, for example using
  a proxy, the request is successfully processed. Even though this
  doesn't pose any direct risk (since the ID and original password still
  have to be known by the attacker), this unnecessarily increases the
  attack surface and doesn't feel like an intended situation.

  Combined with some of the issues reported in:
  https://bugs.launchpad.net/keystone/+bug/1688137 the risk of this
  issue increases.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1901902/+subscriptions