The login screen should protect the users from a brute force password attack. This can handled by approaches such as: 1) Locking an account out after X many failed attempts. 2) Supporting an escalated delay between logins (first failed login delay 5 seconds, second 10, third 20, etc)
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
Upstream bug component is WebUI
Upstream bug component is Security
Upstream bug component is Provisioning
Upstream bug assigned to tbrisker
Normal backlog item, WIP. QA please ACK.
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in product in the forseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.
Fix for this has been merged upstream, reopening and moving to post.
VERIFIED on SAT6.4#11 Reproducer for Hammer: bz1602367 Reproducer for WebUI: 1. Setup variables > export SAT=mysatellite.example.com > export USER=admin > export PW=xxx 2. Check correct login > TOKEN=$(curl -k --cookie-jar cookies.txt https://$SAT/users/login 2> /dev/null | grep 'name=\"authenticity_token\"' | xargs -0 -I % expr % : '.*value="\(.*\)".*$'); curl -L -k -b cookies.txt -F login[login]=$USER -F login[password]=$PW -F authenticity_token=$TOKEN -F commit='Log In' https://$SAT/users/login 2> /dev/null | tee /tmp/a.html | grep "fa-user avatar" ... Admin User ... 3. Test bad password > export PW=badpassword > for i in {1..30}; do TOKEN=$(curl -k --cookie-jar cookies.txt https://$SAT/users/login 2> /dev/null | grep 'name=\"authenticity_token\"' | xargs -0 -I % expr % : '.*value="\(.*\)".*$'); curl -L -k -b cookies.txt -F login[login]=$USER -F login[password]=$PW -F authenticity_token=$TOKEN -F commit='Log In' https://$SAT/users/login 2> /dev/null | tee /tmp/a.html | grep -A 1 "pficon-error-circle-o" | tail -n 1; done Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Incorrect username or password Too many tries, please try again in a few minutes.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2927