Bug 1060745 - [RFE] Protection from Brute Force Password Attacks
Summary: [RFE] Protection from Brute Force Password Attacks
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Security
Version: Nightly
Hardware: Unspecified
OS: Unspecified
unspecified
medium vote
Target Milestone: 6.4.0
Assignee: Tomer Brisker
QA Contact: Katello QA List
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-03 13:49 UTC by Bryan Kearney
Modified: 2019-11-05 22:59 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-16 15:25:56 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2927 None None None 2018-10-16 15:27:08 UTC
Foreman Issue Tracker 4238 None None None 2016-04-22 16:36:56 UTC

Description Bryan Kearney 2014-02-03 13:49:28 UTC
The login screen should protect the users from a brute force password attack. This can handled by approaches such as:

1) Locking an account out after X many failed attempts.
2) Supporting an escalated delay between logins (first failed login delay 5 seconds, second 10, third 20, etc)

Comment 1 RHEL Product and Program Management 2014-02-03 14:16:19 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 3 Bryan Kearney 2015-08-25 17:23:08 UTC
Upstream bug component is WebUI

Comment 4 Bryan Kearney 2015-08-25 17:36:06 UTC
Upstream bug component is Security

Comment 5 Bryan Kearney 2015-08-25 17:56:16 UTC
Upstream bug component is Provisioning

Comment 6 Bryan Kearney 2015-08-25 17:57:57 UTC
Upstream bug component is Security

Comment 7 Bryan Kearney 2016-12-26 17:15:57 UTC
Upstream bug assigned to tbrisker@redhat.com

Comment 8 Bryan Kearney 2016-12-26 17:16:00 UTC
Upstream bug assigned to tbrisker@redhat.com

Comment 9 Lukas Zapletal 2017-02-23 10:09:16 UTC
Normal backlog item, WIP. QA please ACK.

Comment 10 Bryan Kearney 2017-08-31 17:28:15 UTC
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in product in the forseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.

Comment 11 Tomer Brisker 2017-12-11 13:52:41 UTC
Fix for this has been merged upstream, reopening and moving to post.

Comment 12 Martin Korbel 2018-07-18 09:24:40 UTC
VERIFIED on SAT6.4#11

Reproducer for Hammer:
bz1602367

Reproducer for WebUI:
1. Setup variables
> export SAT=mysatellite.example.com
> export USER=admin
> export PW=xxx

2.  Check correct login
> TOKEN=$(curl -k --cookie-jar cookies.txt https://$SAT/users/login 2> /dev/null  | grep 'name=\"authenticity_token\"' | xargs -0 -I % expr % : '.*value="\(.*\)".*$'); curl -L -k -b cookies.txt -F login[login]=$USER -F login[password]=$PW -F authenticity_token=$TOKEN -F commit='Log In' https://$SAT/users/login 2> /dev/null | tee /tmp/a.html | grep "fa-user avatar"

...  Admin User ...

3. Test bad password
> export PW=badpassword

> for i in {1..30}; do TOKEN=$(curl -k --cookie-jar cookies.txt https://$SAT/users/login 2> /dev/null  | grep 'name=\"authenticity_token\"' | xargs -0 -I % expr % : '.*value="\(.*\)".*$'); curl -L -k -b cookies.txt -F login[login]=$USER -F login[password]=$PW -F authenticity_token=$TOKEN -F commit='Log In' https://$SAT/users/login 2> /dev/null | tee /tmp/a.html | grep -A 1 "pficon-error-circle-o" | tail -n 1; done

            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Incorrect username or password
            Too many tries, please try again in a few minutes.

Comment 15 errata-xmlrpc 2018-10-16 15:25:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2927


Note You need to log in before you can comment on or make changes to this bug.