Public bug reported:
Keystone should add password_status attribute to user. Status may
include: expired, expire_soon, locked.
expired/expire_soon:
Keystone should warn about user's password being expired or will be expire
soon(7 days later or configurable). An administrator can list all the users to
see if their password are expired or going to expire soon, then show it on some
management UI or send email to them.
locked:
When a user's password is locked, keystone should show it via the user
information. Since keystone has fixed an user guessing security
vulnerability(CVE-2021-38155), it's impossible for the outside to know if an
authentication error is due to invalid password or password lock. This greatly
harms user friendliness and does not comply to common practice.
By adding a "locked" password status to user info, a login UI can decide if the
authentication failure is caused by invalid password or password lock.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1943952
Title:
Keystone should add password_status attribute to user
Status in OpenStack Identity (keystone):
New
Bug description:
Keystone should add password_status attribute to user. Status may
include: expired, expire_soon, locked.
expired/expire_soon:
Keystone should warn about user's password being expired or will be expire
soon(7 days later or configurable). An administrator can list all the users to
see if their password are expired or going to expire soon, then show it on some
management UI or send email to them.
locked:
When a user's password is locked, keystone should show it via the user
information. Since keystone has fixed an user guessing security
vulnerability(CVE-2021-38155), it's impossible for the outside to know if an
authentication error is due to invalid password or password lock. This greatly
harms user friendliness and does not comply to common practice.
By adding a "locked" password status to user info, a login UI can decide if
the authentication failure is caused by invalid password or password lock.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1943952/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
