openstack/keystone
Code Issues Proposed changes
fb86048d0a
keystone/releasenotes/notes/bug-1872737-f8e1ad3b6705b766.yaml
Colleen Murphy ab89ea7490 Check timestamp of signed EC2 token request 
EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.

The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].

Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.

[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html

Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
Closes-bug: #1872737
2020-04-28 11:45:24 -07:00

29 lines
1.3 KiB
YAML
Raw Blame History

---
feature:
- |
[`bug 1872737 <https://bugs.launchpad.net/keystone/+bug/1872737>`_]
Added a new config option ``auth_ttl`` in the ``[credential]`` config
section to allow configuring the period for which a signed token request
from AWS is valid. The default is 15 minutes in accordance with the AWS
Signature V4 API reference.
upgrade:
- |
[`bug 1872737 <https://bugs.launchpad.net/keystone/+bug/1872737>`_]
Added a default TTL of 15 minutes for signed EC2 credential requests,
where previously an EC2 signed token request was valid indefinitely. This
change in behavior is needed to protect against replay attacks.
security:
- |
[`bug 1872737 <https://bugs.launchpad.net/keystone/+bug/1872737>`_]
Fixed an incorrect EC2 token validation implementation in which the
timestamp of the signed request was ignored, which made EC2 and S3 token
requests vulnerable to replay attacks. The default TTL is 15 minutes but
is configurable.
fixes:
- |
[`bug 1872737 <https://bugs.launchpad.net/keystone/+bug/1872737>`_]
Fixed an incorrect EC2 token validation implementation in which the
timestamp of the signed request was ignored, which made EC2 and S3 token
requests vulnerable to replay attacks. The default TTL is 15 minutes but
is configurable.
View Git Blame Copy Permalink