Bug 1255814 - brute force prevention login delay should not be applied to successful login requests
brute force prevention login delay should not be applied to successful login ...
Product: ovirt-engine-extension-aaa-jdbc
Classification: oVirt
Component: General (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified (vote)
: ovirt-3.6.0-rc
: 1.0.0
Assigned To: Martin Perina
Ondra Machacek
: Regression
Depends On:
  Show dependency treegraph
Reported: 2015-08-21 11:45 EDT by Juan Hernández
Modified: 2016-02-10 14:14 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-04 08:35:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
ylavi: ovirt‑3.6.0?
rule-engine: blocker?
rule-engine: planning_ack?
rule-engine: devel_ack+
pstehlik: testing_ack+

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 45530 master MERGED authn: Don't apply timeout on successful reuqest Never

  None (edit)
Description Juan Hernández 2015-08-21 11:45:01 EDT
The default configuration of the JDBC authentication module generates an artificial delay of 5 seconds for each authentication request that doesn't use the persistent authentication mechanism. It also generates this artificial delay for the request used to close the session.

This makes manual use of the RESTAPI with a browser very inconvenient, and may also generate serious problems for scripts or applications that don't use persistent authentication.

If this is done for a real security requirement it should be clearly documented in the release notes.

The delay in the request to close the session should be eliminated.
Comment 1 Martin Perina 2015-08-26 07:29:42 EDT
The delay after login attempt is intended as a protection against brute force attacks. The timeout can be changed using

  ovirt-aaa-jdbc-tool settings set --name=MINIMUM_RESPONSE_SECONDS --value=NNN

where NNN is timeout in seconds.

Logout command is not supported in aaa-jdbc extension, so there should be no delay when closing the session.
Comment 2 Juan Hernández 2015-08-26 07:34:10 EDT
If it is intended to protect from brute force attacks then the delay should be included only for failed requests, not for successful ones.
Comment 3 Juan Hernández 2015-08-26 07:34:41 EDT
And please remember to add this to the release notes.
Comment 4 Martin Perina 2015-08-26 08:14:51 EDT
(In reply to Juan Hernández from comment #2)
> If it is intended to protect from brute force attacks then the delay should
> be included only for failed requests, not for successful ones.

Hmm, I didn't noticed on the 1st look that the timeout is applied every time, I will fix that, thanks.

I will need to investigate the logout timeout, not sure what causes it.
Comment 5 Juan Hernández 2015-08-26 08:23:14 EDT
It isn't a logout request, rather a request to close the session. It looks like this:

  GET /ovirt-engine/api HTTP/1.1
  Authorization: Basic Y...z
  Cookie: JSESSIONID=8...I

Note that this request it doesn't include the "Prefer: persistent-auth" header. When the "Authorization" header is included (and correct), the "Prefer" header isn't included, and the JSESSIONID cookie is included (and correct) the meaning is "close this session". In this case the delay is also applied, and it shouldn't. I guess that if you remove the delay when the authentication is successful then the delay in this case will also be removed.
Comment 6 Martin Perina 2015-09-07 07:51:32 EDT
Fixed in ovirt-engine-extension-aaa-jdbc-1.0.0-0.0.master.20150831142449.git4d9c713
Comment 7 Martin Perina 2015-09-29 03:09:45 EDT
Fix contained in oVirt 3.6.0 RC1
Comment 8 Red Hat Bugzilla Rules Engine 2015-10-18 04:21:34 EDT
Fixed bug tickets must have version flags set prior to fixing them. Please set the correct version flags and move the bugs back to the previous status after this is corrected.
Comment 9 Red Hat Bugzilla Rules Engine 2015-10-19 07:04:33 EDT
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Comment 10 Ondra Machacek 2015-10-20 09:13:16 EDT
ok with ovirt-engine-extension-aaa-jdbc-1.0.0-2.el6ev.noarch
Comment 11 Sandro Bonazzola 2015-11-04 08:35:30 EST
oVirt 3.6.0 has been released on November 4th, 2015 and should fix this issue.
If problems still persist, please open a new BZ and reference this one.

Note You need to log in before you can comment on or make changes to this bug.