Public bug reported: The main idea behind the user ID blacklist for PCI was to allow service accounts to not have to change their password. As noted in [1], a by- product of any PCI implementation is a vulnerability to a DoS (a malicious user attempting to login X times and locking out a user). This case is worsened by the fact that openstack uses a few very common usernames: "nova", "admin", "service", etc.
Since blacklisted users are already exempt from changing their password every Y days, then they should be equally exempt from the consequences of too many logins. [1] http://www.mattfischer.com/blog/?p=769 ** Affects: keystone Importance: Medium Status: Confirmed ** Tags: pci -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1641642 Title: users that are blacklisted for PCI support should not have failed login attempts counted Status in OpenStack Identity (keystone): Confirmed Bug description: The main idea behind the user ID blacklist for PCI was to allow service accounts to not have to change their password. As noted in [1], a by-product of any PCI implementation is a vulnerability to a DoS (a malicious user attempting to login X times and locking out a user). This case is worsened by the fact that openstack uses a few very common usernames: "nova", "admin", "service", etc. Since blacklisted users are already exempt from changing their password every Y days, then they should be equally exempt from the consequences of too many logins. [1] http://www.mattfischer.com/blog/?p=769 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1641642/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
