[openstack-dev] [keystone][security] New BP for anti brute force in keystone

Morgan Fainberg morgan.fainberg at gmail.com
Wed Jan 13 14:20:12 UTC 2016

This needs to be proposed as a spec, not just a blueprint.

For what it is worth, this has been discussed many times and it was
determined that keystone as a project was not interested in really managing
the life cycle of passwords on this front. Since we support the use of real
Identity Stores and Identity Providers that have this functionality,
password life cycle (complexity, minimum number of passwords before reuse,
minimum/max life span of passwords) instead of the local sql-store, we were
going to rely on these (LDAP Identity, federated identity, etc).

It was also determined that if we were going to go down the path of being a
full-featured identity store/provider in SQL we need clear
support/commitment from orgs to help maintain these features as it is a
significant scope increase to the Identity Store; adding in password
lockouts is just the tip of the iceberg and we need to consider all the
functionality as well.

So, in short:

* This is not a bad conversation to have again. It is worth considering as
a conversation for the next summit in my opinion.

* it needs to be a spec (proposed to the Identity-specs repo).

I look forward to seeing where this goes.

On Jan 11, 2016 23:32, "Youwenwei" <youwenwei at huawei.com> wrote:

> I have registered a new bp for keystone with the capability of anti brute
> force
> Problem Description:
> the attacks of account are increasing in the cloud
> the attacker steals the account information by guessing the password in
> brute force.
> therefore, the ability of account in anti brute force is necessary.
> proposed Change:
> 1. add two configure properties for keystone: threshold for times of
> password error consecutively, time of locked when password error number
> reaches the threshold.
> 2. add two properties of user information in times of password consecutive
> errors, and last password error time. when the password of an account error
> consecutively reaches threshold, the account will be locked with a few time.
> 3. locked account will unlock automatically when locked status time out
> 4. the APIs of keystone which use user_name and password for
> authentication, the message of response will add an error description when
> the account is locked
> https://blueprints.launchpad.net/keystone/+spec/anti-brute-force
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160113/cec43159/attachment.html>

More information about the OpenStack-dev mailing list