AWS Signature V4 has a limited TTL for a token signature, used to perform an authenticated request, usually it is 5 minutes. If there is a MITM possible, then an attacker can use a sniffed header only within 5 minutes.
Keystone doesn't have a signature TTL check, and if an attacker can sniff an auth header, this header can be used an unlimited number of times to reissue an openstack token.
AWS Signature V4 has a limited TTL for a token signature, used to perform an authenticated request, usually it is 5 minutes. If there is a MITM possible, then an attacker can use a sniffed header only within 5 minutes.
Keystone doesn't have a signature TTL check, and if an attacker can sniff an auth header, this header can be used an unlimited number of times to reissue an openstack token.
I have an https:/ /github. com/kayrus/ ec2auth tool to auth against keyston using ec2 credentials. If you set a timestamp (https:/ /godoc. org/github. com/gophercloud /gophercloud/ openstack/ identity/ v3/extensions/ ec2tokens# AuthOptions) to "time.Time{}" here: https:/ /github. com/kayrus/ ec2auth/ blob/master/ pkg/main. go#L40, keystone will identify this token as a valid one and return a valid openstack token.