[openstack-dev] Regarding Multi-Factor Authentication

Luke Hinds lhinds at redhat.com
Fri Oct 13 08:56:56 UTC 2017


On Thu, Oct 12, 2017 at 11:49 PM, Puneet Jain <punitjain at csu.fullerton.edu>
wrote:

> Hi All,
>
> The OpenStack login screen has just login name and password for
> validation. Now, if someone writes a script to perform DoS attacks by
> sending a lot of fake login requests, the server will easily become
> unavailable.
>

If you have found an exploit please raise it in launchpad and mark as
security bug for the VMT to look at.


> I know there is a section in the security page which talks about
> multi-factor authentication. However, each organization has to implement
> this at their own (Correct me if I am wrong here).
>
> Questions
>
> Is there any property based solution to provide multifactor
> authentication? Like, the multi-factor implementation would be a part of
> OpenStack installation but would be unavailable by default and if an
> organization enables that property, they will have the multifactor
> authentication enabled.
>
> I apologize if my question is very basic. I am quite new to OpenStack.
>
>
>
So keystone is an *identity service*, it's not positioned as being an
*identity provider* (although it can act as a basic provider by using an
instance of mariadb, but this is not the norm for production deployments).
Instead a typical deployment will have third party systems act as identity
provider, and this could be in any form such as LDAP, Active Directory
and SAML / OpenID via Federation. The operator would then implement MFA in
their chosen identity provider.

I recommend a read of this:

https://docs.openstack.org/keystone/latest/advanced-
topics/federation/federated_identity.html

For this reason, its unlikely that Keystone will provide MFA out of the box.



> --
> Best
> Regards,
> Puneet Jain
>
> <https://www.linkedin.com/pub/puneet-jain/20/917/a54>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhinds at redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171013/a34b9fb1/attachment.html>


More information about the OpenStack-dev mailing list