<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 12, 2017 at 11:49 PM, Puneet Jain <span dir="ltr"><<a href="mailto:punitjain@csu.fullerton.edu" target="_blank">punitjain@csu.fullerton.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:verdana,sans-serif">Hi All,</div><div><br></div><div><div style="font-family:verdana,sans-serif">The OpenStack login screen has just login name and password for validation. Now, if someone writes a script to perform DoS attacks by sending a lot of fake login requests, the server will easily become unavailable. </div><div style="font-family:verdana,sans-serif"></div></div></div></blockquote><div><br></div><div>If you have found an exploit please raise it in launchpad and mark as security bug for the VMT to look at.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div style="font-family:verdana,sans-serif">I know there is a section in the security page which talks about multi-factor authentication. However, each organization has to implement this at their own (Correct me if I am wrong here). <br></div><div style="font-family:verdana,sans-serif"><br></div><div style="font-family:verdana,sans-serif">Questions </div><div style="font-family:verdana,sans-serif"><br></div><div style="font-family:verdana,sans-serif">Is there any property based solution to provide multifactor authentication? Like, the multi-factor implementation would be a part of OpenStack installation but would be unavailable by default and if an organization enables that property, they will have the multifactor authentication enabled.</div></div><div style="font-family:verdana,sans-serif"><br></div><div style="font-family:verdana,sans-serif">I apologize if my question is very basic. I am quite new to OpenStack.</div><span class="m_-1312944910486390380gmail-HOEnZb"><font color="#888888"><div style="font-family:verdana,sans-serif"> </div><div><br></div></font></span></div></blockquote><div><br></div><div>So keystone is an *identity service*, it's not positioned as being an *identity provider* (although it can act as a basic provider by using an instance of mariadb, but this is not the norm for production deployments). Instead a typical deployment will have third party systems act as identity provider, and this could be in any form such as LDAP, Active Directory and SAML / OpenID via Federation. The operator would then implement MFA in their chosen identity provider.</div><div><br></div><div>I recommend a read of this: </div><br class="m_-1312944910486390380gmail-Apple-interchange-newline"><a href="https://docs.openstack.org/keystone/latest/advanced-topics/federation/federated_identity.html" target="_blank">https://docs.openstack.org/<wbr>keystone/latest/advanced-<wbr>topics/federation/federated_<wbr>identity.html</a></div><div class="gmail_quote"><br></div><div class="gmail_quote">For this reason, its unlikely that Keystone will provide MFA out of the box.</div><div class="gmail_quote"> <br><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span class="m_-1312944910486390380gmail-HOEnZb"><font color="#888888"><div></div>-- <br><div class="m_-1312944910486390380gmail-m_-4035761735734892567gmail_signature"><div dir="ltr"><div><div dir="ltr"><font face="verdana, sans-serif"><div style="font-family:verdana,sans-serif;display:inline">Best</div>Regards,</font><div><font face="verdana, sans-serif">Puneet Jain</font></div><div><font face="verdana, sans-serif"><br></font></div><div><font face="verdana, sans-serif"><a href="https://www.linkedin.com/pub/puneet-jain/20/917/a54" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x33.png" width="96" height="19"></a><br></font></div></div></div></div></div>
</font></span></div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_-1312944910486390380gmail_signature"><div dir="ltr"><span style="font-size:12.8px">Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat</span><br style="font-size:12.8px"><span style="font-size:12.8px">e: </span><a href="mailto:lhinds@redhat.com" style="color:rgb(17,85,204);font-size:12.8px" target="_blank">lhinds@redhat.com</a><span style="font-size:12.8px"> | irc: lhinds @freenode | m: </span>+44 77 45 63 98 84<span style="font-size:12.8px"> | t: </span>+44 12 52 36 2483<br style="font-size:12.8px"></div></div>
</div></div>