OpenStack Identity (keystone)

Bug #963098
Comment #5

Comment 5 for bug 963098

Revision history for this message

Rajesh Battala (rajesh-battala) wrote on 2012-04-04: RE: [Bug 963098] Re: Keystone isn't acting on consecutive failed logins

Hi Nag,

What if the hacker, who is aware of username and tries to access the account.
As he enters wrong password for 5 times, security question will be shown.
And security questions also will be given wrong answer. Then the account is locked.

But once the actual user tries to access the a/c with proper credentials then he will get message that his a/c is locked by admin. Which would be a surprise for the actual user.

Thanks
Rajesh Battala

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Nag
Sent: Wednesday, April 04, 2012 4:15 PM
To: Rajesh Battala
Subject: [Bug 963098] Re: Keystone isn't acting on consecutive failed logins

Hi Joseph,

Thanks for the info.

Actually I want to give a try on this bug in the following way:

1. User types the wrong password for 5 times.
2. Then dashboard need to show the security question for the particular user. [Security question will be shown if user enters correct username. Otherwise wrong username or password error should be displayed.] 3. If the user types the wrong security question's password, the account should be locked and admin only can unlock the account.
4. If the user enters correct answer for the security question, the new password shall be mailed to his email id, if he registers one.

The security question and answer fields can be added to the users table or can be a separate table in the keystone.

This is fine as far as the dashboard is concerned. But as per the comments from Devin, I am thinking about blocking the user from command line arguments.

Please provide your comments.

Regards,
Nag.

--
You received this bug notification because you are subscribed to Keystone.
https://bugs.launchpad.net/bugs/963098

Title:
Keystone isn't acting on consecutive failed logins

Status in OpenStack Identity (Keystone):
Triaged

Bug description:
Trying to login to the dashboard web interface and failing causes no
special action no matter how many times it's attempted.

Malicious users could abuse this in order to try to guess logins and
passwords.

This could be prevented by a delay or a capcha after the first few
failed login attempts.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/963098/+subscriptions

Hi Nag,

What if the hacker, who is aware of username and tries to access the account. 
As he enters wrong password for 5 times, security question will be shown. 
And security questions also will be given wrong answer. Then the account is locked.

But once the actual user tries to access the  a/c with proper credentials then he will get message that his a/c is locked by admin.  Which would be a surprise for the actual user.

Thanks
Rajesh Battala

-----Original Message-----
From: bounces@canonical.com [mailto:bounces@canonical.com] On Behalf Of Nag
Sent: Wednesday, April 04, 2012 4:15 PM
To: Rajesh Battala
Subject: [Bug 963098] Re: Keystone isn't acting on consecutive failed logins

Hi Joseph,

Thanks for the info.

Actually I want to give a try on this bug in the following way:

The security question and answer fields can be added to the users table or can be a separate table in the keystone.

This is fine as far as the dashboard is concerned. But as per the comments from Devin, I am thinking about blocking the user from command line arguments.

Please provide your comments.

Regards,
Nag.

--
You received this bug notification because you are subscribed to Keystone.
https://bugs.launchpad.net/bugs/963098

Title:
  Keystone isn't acting on consecutive failed logins

Status in OpenStack Identity (Keystone):
  Triaged

Bug description:
  Trying to login to the dashboard web interface and failing causes no
  special action no matter how many times it's attempted.

Malicious users could abuse this in order to try to guess logins and
  passwords.

This could be prevented by a delay or a capcha after the first few
  failed login attempts.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/963098/+subscriptions