OpenStack Identity (keystone)

  1. Bug #1872737
  2. Comment #0

Comment 0 for bug 1872737

Revision history for this message
kay (kay-diam) wrote : Keystone doesn't check signature TTL of the EC2 credential auth method

AWS Signature V4 has a limited TTL for a token signature, used to perform an authenticated request, usually it is 5 minutes. If there is a MITM possible, then an attacker can use a sniffed header only within 5 minutes.

Keystone doesn't have a signature TTL check, and if an attacker can sniff an auth header, this header can be used an unlimited number of times to reissue an openstack token.

I have an https://github.com/kayrus/ec2auth tool to auth against keyston using ec2 credentials. If you set a timestamp (https://godoc.org/github.com/gophercloud/gophercloud/openstack/identity/v3/extensions/ec2tokens#AuthOptions) to "time.Time{}" here: https://github.com/kayrus/ec2auth/blob/master/pkg/main.go#L40, keystone will identify this token as a valid one and return a valid openstack token.