From 716f0feb2f57415c14a47e087328c603138d3671 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Wed, 22 Jul 2020 16:54:37 +0200 Subject: [PATCH] Disable keystone account locking by default It provides an easy to exploit DoS opportunity. Change-Id: I3839e9930511ff2d3a6b69bef5ae898d92a21ff1 --- .../roles/bifrost-keystone-install/defaults/main.yml | 3 +++ .../templates/keystone.conf.j2 | 5 ++++- .../notes/keystone-lockout-c8a26a09e0f0560b.yaml | 12 ++++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/keystone-lockout-c8a26a09e0f0560b.yaml diff --git a/playbooks/roles/bifrost-keystone-install/defaults/main.yml b/playbooks/roles/bifrost-keystone-install/defaults/main.yml index 59f9d892a..aba8cb447 100644 --- a/playbooks/roles/bifrost-keystone-install/defaults/main.yml +++ b/playbooks/roles/bifrost-keystone-install/defaults/main.yml @@ -4,6 +4,9 @@ keystone_source_install: true keystone_git_url: https://opendev.org/openstack/keystone keystone_git_folder: /opt/stack/keystone +keystone_lockout_security_attempts: -1 +keystone_lockout_duration: 1800 + skip_install: False # set to true to skip installing ironic dependencies skip_package_install: False diff --git a/playbooks/roles/bifrost-keystone-install/templates/keystone.conf.j2 b/playbooks/roles/bifrost-keystone-install/templates/keystone.conf.j2 index c0763dffb..c6e694c6f 100644 --- a/playbooks/roles/bifrost-keystone-install/templates/keystone.conf.j2 +++ b/playbooks/roles/bifrost-keystone-install/templates/keystone.conf.j2 @@ -20,7 +20,10 @@ connection = mysql+pymysql://{{ keystone.database.username }}:{{ keystone.databa use_db_reconnect = true [security_compliance] -lockout_failure_attempts = 3 +{% if keystone_lockout_security_attempts > 0 %} +lockout_failure_attempts = {{ keystone_lockout_security_attempts }} +lockout_duration = {{ keystone_lockout_duration }} +{% endif %} [token] provider = fernet diff --git a/releasenotes/notes/keystone-lockout-c8a26a09e0f0560b.yaml b/releasenotes/notes/keystone-lockout-c8a26a09e0f0560b.yaml new file mode 100644 index 000000000..402a6ddfc --- /dev/null +++ b/releasenotes/notes/keystone-lockout-c8a26a09e0f0560b.yaml @@ -0,0 +1,12 @@ +--- +security: + - | + When using Keystone, no longer locks users out of their accounts on 3 + unsuccessful attempts to log in. This creates a very trivially exploitable + denial-of-service issue. Use ``keystone_lockout_security_attempts`` + to re-enable (not recommended). +features: + - | + If ``keystone_lockout_security_attempts`` is enabled, the amount of time + the account stays locked is now regulated by the new parameter + ``keystone_lockout_duration`` (defaulting to 1800 seconds).