settingsLogin | Registersettings

[openstack-dev] Regarding Multi-Factor Authentication

0 votes

Hi All,

The OpenStack login screen has just login name and password for validation.
Now, if someone writes a script to perform DoS attacks by sending a lot of
fake login requests, the server will easily become unavailable.

I know there is a section in the security page which talks about
multi-factor authentication. However, each organization has to implement
this at their own (Correct me if I am wrong here).

Questions

Is there any property based solution to provide multifactor authentication?
Like, the multi-factor implementation would be a part of OpenStack
installation but would be unavailable by default and if an organization
enables that property, they will have the multifactor authentication
enabled.

I apologize if my question is very basic. I am quite new to OpenStack.

--
Best
Regards,
Puneet Jain

https://www.linkedin.com/pub/puneet-jain/20/917/a54


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked Oct 13, 2017 in openstack-dev by Puneet_Jain (160 points)  

1 Response

0 votes

On Thu, Oct 12, 2017 at 11:49 PM, Puneet Jain punitjain@csu.fullerton.edu
wrote:

Hi All,

The OpenStack login screen has just login name and password for
validation. Now, if someone writes a script to perform DoS attacks by
sending a lot of fake login requests, the server will easily become
unavailable.

If you have found an exploit please raise it in launchpad and mark as
security bug for the VMT to look at.

I know there is a section in the security page which talks about
multi-factor authentication. However, each organization has to implement
this at their own (Correct me if I am wrong here).

Questions

Is there any property based solution to provide multifactor
authentication? Like, the multi-factor implementation would be a part of
OpenStack installation but would be unavailable by default and if an
organization enables that property, they will have the multifactor
authentication enabled.

I apologize if my question is very basic. I am quite new to OpenStack.

So keystone is an identity service, it's not positioned as being an
identity provider (although it can act as a basic provider by using an
instance of mariadb, but this is not the norm for production deployments).
Instead a typical deployment will have third party systems act as identity
provider, and this could be in any form such as LDAP, Active Directory
and SAML / OpenID via Federation. The operator would then implement MFA in
their chosen identity provider.

I recommend a read of this:

https://docs.openstack.org/keystone/latest/advanced-
topics/federation/federated_identity.html

For this reason, its unlikely that Keystone will provide MFA out of the box.

--
Best
Regards,
Puneet Jain

https://www.linkedin.com/pub/puneet-jain/20/917/a54


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhinds@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Oct 13, 2017 by Luke_Hinds (1,500 points)   1
...