[Geoserver-devel] [JIRA] (GEOS-10806) slow login and accidental ldap hacking caused by default password test

Wed, 21 Dec 2022 08:24:44 -0800 

Hans Yperman ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=633adecda84c7f79c3888fef
 ) *created* an issue

GeoServer ( 
https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiMjBhYWE3ZWUxM2Y1NGEwN2JiMGRhYWQ3NTM5NTkxMzciLCJwIjoiaiJ9
 ) / Bug ( 
https://osgeo-org.atlassian.net/browse/GEOS-10806?atlOrigin=eyJpIjoiMjBhYWE3ZWUxM2Y1NGEwN2JiMGRhYWQ3NTM5NTkxMzciLCJwIjoiaiJ9
 ) GEOS-10806 ( 
https://osgeo-org.atlassian.net/browse/GEOS-10806?atlOrigin=eyJpIjoiMjBhYWE3ZWUxM2Y1NGEwN2JiMGRhYWQ3NTM5NTkxMzciLCJwIjoiaiJ9
 ) slow login and accidental ldap hacking caused by default password test ( 
https://osgeo-org.atlassian.net/browse/GEOS-10806?atlOrigin=eyJpIjoiMjBhYWE3ZWUxM2Y1NGEwN2JiMGRhYWQ3NTM5NTkxMzciLCJwIjoiaiJ9
 )

Issue Type: Bug Affects Versions: 2.22.0 Assignee: Unassigned Components: 
Security Created: 21/Dec/22 5:23 PM Priority: Medium Reporter: Hans Yperman ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=633adecda84c7f79c3888fef
 )

When an admin logs in to geoserver, it wants to validate you modified the 
default admin password. Relevant code is in org.geoserver.security.web ( 
http://org.geoserver.security.web ).SecurityHomePageContentProvider

It does this by sending the default admin user and password trough the default 
login stack. This has some unfortunate side effects:

*If you have LDAP configured as login method, it does an invalid logon on the 
LDAP server. If that server has an user ‘admin’, it might trigger defensive 
measures

*Admin login is slow (5 seconds), as the spring brute force attack prevention 
kicks in twice:

{{ [geoserver.security] - Failed login, user admin from XXXX }}
[geoserver.security] - Brute force attack prevention, delaying login for 1551ms

Steps to reproduce:

* log in with an admin user, when the default password has been changed
* you might need to configure LDAP to see the worst impact.

Some suggestions for resolution:

* Add a flag to disable this feature
* Check the security stores manually for the hashed default password

The relevant part of the stack trace:

org.springframework.security.authentication.BadCredentialsException: Bad 
credentials                
       at 
org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:101)
       at 
org.geoserver.security.ldap.GeoserverLdapBindAuthenticator.authenticate(GeoserverLdapBindAuthenticator.java:54)
       at 
org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:187)
       at 
org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
       at 
org.geoserver.security.DelegatingAuthenticationProvider.doAuthenticate(DelegatingAuthenticationProvider.java:57)
       at 
org.geoserver.security.ldap.LDAPAuthenticationProvider.doAuthenticate(LDAPAuthenticationProvider.java:59)
       at 
org.geoserver.security.DelegatingAuthenticationProvider.authenticate(DelegatingAuthenticationProvider.java:36)
                                                                                
                          
       at 
org.geoserver.security.GeoServerAuthenticationProvider.authenticate(GeoServerAuthenticationProvider.java:54)
       at 
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175)
       at 
org.geoserver.security.GeoServerSecurityManager.checkForDefaultAdminPassword(GeoServerSecurityManager.java:1374)
       at 
org.geoserver.security.web.SecurityHomePageContentProvider$SecurityWarningsPanel.<init>(SecurityHomePageContentProvider.java:115)
       at 
org.geoserver.security.web.SecurityHomePageContentProvider.getPageBodyComponent(SecurityHomePageContentProvider.java:44)
       at 
org.geoserver.web.GeoServerHomePage$10.populateItem(GeoServerHomePage.java:699) 
         
       at 
org.apache.wicket.markup.html.list.ListView.onPopulate(ListView.java:523)       
                                                                                
                                                        

( 
https://osgeo-org.atlassian.net/browse/GEOS-10806#add-comment?atlOrigin=eyJpIjoiMjBhYWE3ZWUxM2Y1NGEwN2JiMGRhYWQ3NTM5NTkxMzciLCJwIjoiaiJ9
 ) Add Comment ( 
https://osgeo-org.atlassian.net/browse/GEOS-10806#add-comment?atlOrigin=eyJpIjoiMjBhYWE3ZWUxM2Y1NGEwN2JiMGRhYWQ3NTM5NTkxMzciLCJwIjoiaiJ9
 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( 
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
 ) or iOS ( 
https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8
 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100213- 
sha1:d1b903b )
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel














    











					Reply via email to