Bug 1468759

Summary: The password field in the Satellite 6 login form needs autocomplete disabled
Product: Red Hat Satellite Reporter: Greg Scott <gscott>
Component: Users & RolesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Katello QA List <katello-qa-list>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.2.10CC: dhlavacd, mhulan, tbrisker
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-09 19:15:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Greg Scott 2017-07-07 20:31:04 UTC 
Description of problem:
The password field in the Satellite login form has autocomplete turned on.  This is a security hole that needs to close.

Version-Release number of selected component (if applicable):
6.y

How reproducible:
At will

Steps to Reproduce:
1. Login to Satellite 6.y and perform some work.
2. Log off.
3. Log back in again and the password field autocompletes.

Actual results:
The password field autocompletes.  I don't have to type in the whole password.

Expected results:
I should have to enter the whole password. Password fields should never autocomplete.

Additional info:

Comment 7 of https://bugzilla.redhat.com/show_bug.cgi?id=1060777 said to open a separate BZ for this bug, since that BZ started as an RFE. That RFE was closed with WontFix in 2014 and reopened this week. The 2017 security environment is more demanding, and now it's a bug and no longer a feature request.

One workaround in https://access.redhat.com/solutions/1602583 suggests turning off autocomplete in the user's browser.  Unfortunately, this workaround isn't good enough for auditors who use automation, instead of user browsers, to test this stuff.  When the auditing tool sees a password field without autocomplete disabled, it triggers an audit failure and the customer must either come up with an acceptable mitigation or not use Satellite.

The problem triggering this BZ happened with Satellite 5.7. But Satellite 6 also needs autocomplete in the password field turned off.
Comment 2 Tomer Brisker 2017-07-09 19:15:43 UTC 
Setting autocomplete to off is not security best practice, as many browsers will ignore the setting. Using a password manager, on the other hand, is best practice. The automated audit tool which declares this as a security issue is  incorrect.
Satellite support various external authentication methods that allow for stronger authentication, such as IdM, which can be used in a security sensitive environment.
Comment 3 Greg Scott 2017-07-10 15:17:20 UTC 
And setting the password field - by default - to automatically fill in an incomplete password is an acceptable security practice??

Really??

Try an experiment. Make sure your browser is set to not remember passwords. Go visit your favorite banking site. Does the password field autocomplete by default?  Now buy a Kindle book from Amazon.  Does the password field autocomplete by default?  Try the same thing with pretty much any e-commerce website that requires a login.

Obviously, if I tell my browser to remember my password, I deserve the consequences.  But to set the password field to autocomplete by default is like purposely stepping in front of a speeding train.

I'll leave this as closed...wontfix since it's not up to me to fix this.  I hope you change your mind.