[Openstack] [OSSG][OSSN] Keystone can allow user impersonation when using REMOTE_USER for external authentication

Nathan Kinder nkinder at redhat.com
Fri Jan 17 18:59:24 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keystone can allow user impersonation when using REMOTE_USER for
external authentication
- ---

### Summary ###
When external authentication is used with Keystone using the
"ExternalDefault" plug-in, external usernames containing "@"
characters are truncated at the "@" character before being mapped to a
local Keystone user. This can result in separate external users
mapping to the same local Keystone user, which could lead to user
impersonation.

### Affected Services / Software ###
Keystone, Havana

### Discussion ###
When Keystone is run in the Apache HTTP Server, the webserver can
handle authentication and pass the authenticated username to Keystone
using the REMOTE_USER environment variable. External authentication
behavior is handled by authentication plugins in Keystone. In the
Havana release of OpenStack, if the external username provided in the
REMOTE_USER environment variable contains an "@" character Keystone
will only use the portion preceding the "@" character as the username
when using the "ExternalDefault" authentication plugin. This results
in the ability for multiple unique external usernames to map to the
same single username in Keystone. For example, the external usernames
"jdoe at example1.com" and "jdoe at example2.com" would both map to the
Keystone user "jdoe". This behavior could potentially be abused to
allow one to impersonate another similarly named external user.

Keystone in OpenStack releases prior to Havana uses the entire value
contained in the REMOTE_USER environment variable, so those versions
are not vulnerable to this impersonation issue.

### Recommended Actions ###
If the "ExternalDefault" plugin is being used for external
authentication in the Havana release, you should ensure that external
usernames do not contain "@" characters unless you want to collapse
similarly named external users into a single user on the Keystone side.

If your external usernames do contain "@" characters and you do not
want to collapse similarly named external users into a single user on
the Keystone side, you might be able to use the "ExternalDomain"
plug-in. This plugin considers the portion of the external username
that follows an "@" character to be the domain that the user belongs
to in Keystone. This allows similarly named external users to map to
separate Keystone users if the portion of the external username that
follows an "@" character maps to a Keystone domain name. To configure
the "ExternalDomain" authentication plugin, set the "external"
parameter in the "[auth]" section of Keystone's keystone.conf as follows:

- ---- begin example keystone.conf snippet ----
[auth]
methods = external,password,token
external = keystone.auth.plugins.external.ExternalDomain
- ---- end example keystone.conf snippet ----

If neither of the above recommendations work for your deployment, a
custom authentication plugin can be created that uses the external
username that contains an "@" character as-is.

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1254619
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1254619
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJS2X2MAAoJEJa+6E7Ri+EVHokH/A940crfcsj2kVc7/Q37yPsG
xsRovSkTMjF/MV/Z7reSzeL2/zP1pxwjsqmGD+zNxyjz4yssLhZcbY/bvfHL3D7I
d2xV0Cz46TQ4pe25mYhuM/p6YbYvDbc6STRCaTQVr6BzqqS8o7t7U8vf3IUErgRt
Qa3SCQq8I/ug9J44PDOIJHYP7ETXMl/0R2JgSpUbZ340ZsdnpgbpB29m4Q9VKg1m
wl5WSvEVwSstf/G20u2zAb4v4Cx+oi/1o5osSuCD4vFG6+ouUpJN59vAPfPZkyft
rexPu5Wql4nvAx1cUIB0PpO1+nzmNgK4tyndBVpUKm9M/MOQXdZmY4VEtuAoAqg=
=7mDb
-----END PGP SIGNATURE-----



More information about the Openstack mailing list