asf-tooling opened a new issue, #1028:
URL: https://github.com/apache/tooling-trusted-releases/issues/1028
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
When a user adds or removes an SSH key (an authentication factor for the SSH
rsync server), no option is presented to terminate other active sessions. SSH
keys are authentication factors and their modification should trigger the same
session termination option as PAT changes per ASVS 7.4.3. If a user removes a
compromised SSH key, SSH access to rsync server is revoked but web UI sessions
cannot be terminated, allowing an attacker with stolen web session to re-add
SSH keys and regain access.
### Details
Affected locations:
- `atr/post/keys.py` lines 141-155: ssh_add() without session termination
option
- `atr/post/keys.py` lines 174-184: _delete_ssh_key() without session
termination option
SSH key addition and deletion forms lack "terminate other sessions" option
that exists for PAT changes.
### Recommended Remediation
Add 'terminate_other_sessions' boolean field to `AddSSHKeyForm` and
`DeleteSSHKeyForm`:
```python
class AddSSHKeyForm(pydantic.BaseModel):
public_key: str
terminate_other_sessions: bool = False
class DeleteSSHKeyForm(pydantic.BaseModel):
fingerprint: str
terminate_other_sessions: bool = False
```
Update `ssh_add()` and `_delete_ssh_key()` handlers to check this field and
call `terminate_all_other_sessions(session.asf_uid, current_session_id)` when
checked (requires SESSION-001 fix).
Add checkbox to SSH key forms with appropriate messaging:
- For addition: "Terminate other sessions (recommended if adding key for
security reasons)"
- For deletion: "Terminate other sessions (recommended if key was
compromised)"
For deletion, show warning if not checked: "SSH key deleted successfully.
Consider terminating other sessions if key was compromised."
### Acceptance Criteria
- [ ] SSH key forms include session termination option
- [ ] Session termination is triggered when option is checked
- [ ] Warning is shown if deletion occurs without session termination
- [ ] Test cases verify session termination option
- [ ] Unit test verifying the fix
### References
- Source reports: L2:7.4.3.md
- Related findings: FINDING-005, FINDING-036, FINDING-248
- ASVS sections: 7.4.3
### Priority
Medium
---
---
### Consolidated: FINDING-132 - JWT Signing Key Rotation Does Not Invalidate
Cookie Sessions
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
When the JWT signing key is rotated via admin panel (a significant security
event that invalidates all existing JWTs), cookie-based web sessions are
unaffected. While this successfully invalidates all JWTs, it creates an
inconsistent security posture where API access via JWTs is revoked but web UI
access via cookies continues. If JWT key rotation is performed due to suspected
key compromise, attackers with active cookie sessions are not affected by the
security response, creating incomplete incident response.
### Details
Affected locations:
- `atr/admin/__init__.py` lines 404-410: rotate_jwt_key_post() doesn't
terminate sessions
- `atr/storage/writers/tokens.py` lines 174-179: JWT key rotation logic
JWT key rotation invalidates all JWTs but leaves cookie sessions active.
### Recommended Remediation
Add automatic session termination to `rotate_jwt_key_post()`.
**Recommended Option A:** Terminate all sessions globally including admin:
```python
async def rotate_jwt_key_post():
# Rotate JWT key
await write.rotate_jwt_key()
# Terminate all sessions (requires SESSION-001 fix)
await terminate_all_sessions_globally()
# Redirect to login
return
quart.redirect('/login?message=JWT+key+rotated+and+all+sessions+terminated')
```
**Alternative Option B:** Preserve admin session:
```python
async def rotate_jwt_key_post(session):
# Rotate JWT key
await write.rotate_jwt_key()
# Terminate all sessions except current (requires SESSION-001 fix)
current_session_id = await get_current_session_id()
await terminate_all_sessions_except(current_session_id)
# Show success message
flash("JWT signing key rotated and all other sessions terminated
successfully.")
return quart.redirect('/admin')
```
**Recommendation:** Use Option A for maximum security during key rotation
events.
### Acceptance Criteria
- [ ] JWT key rotation terminates cookie sessions
- [ ] Security response is complete and consistent
- [ ] Admin is notified of session termination
- [ ] Test cases verify session termination
- [ ] Unit test verifying the fix
### References
- Source reports: L2:7.4.3.md
- Related findings: FINDING-005, FINDING-037, FINDING-133
- ASVS sections: 7.4.3
### Priority
Medium
---
---
**Triage notes:** discussion - discuss how we monitor and administer SSH
sessions
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
