[openstack-dev] Regarding Multi-Factor Authentication

[Puneet Jain]

Hi All,

The OpenStack login screen has just login name and password for validation.
Now, if someone writes a script to perform DoS attacks by sending a lot of
fake login requests, the server will easily become unavailable.

I know there is a section in the security page which talks about
multi-factor authentication. However, each organization has to implement
this at their own (Correct me if I am wrong here).

Questions

Is there any property based solution to provide multifactor authentication?
Like, the multi-factor implementation would be a part of OpenStack
installation but would be unavailable by default and if an organization
enables that property, they will have the multifactor authentication
enabled.

I apologize if my question is very basic. I am quite new to OpenStack.


-- 
Best
Regards,
Puneet Jain


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] Regarding Multi-Factor Authentication

[Luke Hinds]

On Thu, Oct 12, 2017 at 11:49 PM, Puneet Jain 
wrote:

> Hi All,
>
> The OpenStack login screen has just login name and password for
> validation. Now, if someone writes a script to perform DoS attacks by
> sending a lot of fake login requests, the server will easily become
> unavailable.
>

If you have found an exploit please raise it in launchpad and mark as
security bug for the VMT to look at.


> I know there is a section in the security page which talks about
> multi-factor authentication. However, each organization has to implement
> this at their own (Correct me if I am wrong here).
>
> Questions
>
> Is there any property based solution to provide multifactor
> authentication? Like, the multi-factor implementation would be a part of
> OpenStack installation but would be unavailable by default and if an
> organization enables that property, they will have the multifactor
> authentication enabled.
>
> I apologize if my question is very basic. I am quite new to OpenStack.
>
>
>
So keystone is an *identity service*, it's not positioned as being an
*identity provider* (although it can act as a basic provider by using an
instance of mariadb, but this is not the norm for production deployments).
Instead a typical deployment will have third party systems act as identity
provider, and this could be in any form such as LDAP, Active Directory
and SAML / OpenID via Federation. The operator would then implement MFA in
their chosen identity provider.

I recommend a read of this:

https://docs.openstack.org/keystone/latest/advanced-
topics/federation/federated_identity.html

For this reason, its unlikely that Keystone will provide MFA out of the box.



> --
> Best
> Regards,
> Puneet Jain
>
> 
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev