Red Hat Bugzilla – Bug 1255814
brute force prevention login delay should not be applied to successful login requests
Last modified: 2016-02-10 14:14:33 EST
The default configuration of the JDBC authentication module generates an artificial delay of 5 seconds for each authentication request that doesn't use the persistent authentication mechanism. It also generates this artificial delay for the request used to close the session.
This makes manual use of the RESTAPI with a browser very inconvenient, and may also generate serious problems for scripts or applications that don't use persistent authentication.
If this is done for a real security requirement it should be clearly documented in the release notes.
The delay in the request to close the session should be eliminated.
The delay after login attempt is intended as a protection against brute force attacks. The timeout can be changed using
ovirt-aaa-jdbc-tool settings set --name=MINIMUM_RESPONSE_SECONDS --value=NNN
where NNN is timeout in seconds.
Logout command is not supported in aaa-jdbc extension, so there should be no delay when closing the session.
If it is intended to protect from brute force attacks then the delay should be included only for failed requests, not for successful ones.
And please remember to add this to the release notes.
(In reply to Juan Hernández from comment #2)
> If it is intended to protect from brute force attacks then the delay should
> be included only for failed requests, not for successful ones.
Hmm, I didn't noticed on the 1st look that the timeout is applied every time, I will fix that, thanks.
I will need to investigate the logout timeout, not sure what causes it.
It isn't a logout request, rather a request to close the session. It looks like this:
GET /ovirt-engine/api HTTP/1.1
Authorization: Basic Y...z
Note that this request it doesn't include the "Prefer: persistent-auth" header. When the "Authorization" header is included (and correct), the "Prefer" header isn't included, and the JSESSIONID cookie is included (and correct) the meaning is "close this session". In this case the delay is also applied, and it shouldn't. I guess that if you remove the delay when the authentication is successful then the delay in this case will also be removed.
Fixed in ovirt-engine-extension-aaa-jdbc-1.0.0-0.0.master.20150831142449.git4d9c713
Fix contained in oVirt 3.6.0 RC1
Fixed bug tickets must have version flags set prior to fixing them. Please set the correct version flags and move the bugs back to the previous status after this is corrected.
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
ok with ovirt-engine-extension-aaa-jdbc-1.0.0-2.el6ev.noarch
oVirt 3.6.0 has been released on November 4th, 2015 and should fix this issue.
If problems still persist, please open a new BZ and reference this one.