Bug 1060745
Summary: | [RFE] Protection from Brute Force Password Attacks | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Bryan Kearney <bkearney> |
Component: | Security | Assignee: | Tomer Brisker <tbrisker> |
Status: | CLOSED ERRATA | QA Contact: | Katello QA List <katello-qa-list> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | Nightly | CC: | lzap |
Target Milestone: | 6.4.0 | Keywords: | FutureFeature, Reopened, Security, Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | http://projects.theforeman.org/issues/4238 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-16 15:25:56 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bryan Kearney
2014-02-03 13:49:28 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. Upstream bug component is WebUI Upstream bug component is Security Upstream bug component is Provisioning Upstream bug component is Security Upstream bug assigned to tbrisker Upstream bug assigned to tbrisker Normal backlog item, WIP. QA please ACK. Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in product in the forseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you. Fix for this has been merged upstream, reopening and moving to post. VERIFIED on SAT6.4#11 Reproducer for Hammer: bz1602367 Reproducer for WebUI: 1. Setup variables > export SAT=mysatellite.example.com > export USER=admin > export PW=xxx 2. Check correct login > TOKEN=$(curl -k --cookie-jar cookies.txt https://$SAT/users/login 2> /dev/null | grep 'name=\"authenticity_token\"' | xargs -0 -I % expr % : '.*value="\(.*\)".*$'); curl -L -k -b cookies.txt -F login[login]=$USER -F login[password]=$PW -F authenticity_token=$TOKEN -F commit='Log In' https://$SAT/users/login 2> /dev/null | tee /tmp/a.html | grep "fa-user avatar" ... Admin User ... 3. Test bad password > export PW=badpassword > for i in {1..30}; do TOKEN=$(curl -k --cookie-jar cookies.txt https://$SAT/users/login 2> /dev/null | grep 'name=\"authenticity_token\"' | xargs -0 -I % expr % : '.*value="\(.*\)".*$'); curl -L -k -b cookies.txt -F login[login]=$USER -F login[password]=$PW -F authenticity_token=$TOKEN -F commit='Log In' https://$SAT/users/login 2> /dev/null | tee /tmp/a.html | grep -A 1 "pficon-error-circle-o" | tail -n 1; done Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Too many tries, please try again in a few minutes. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2927 |