OSSN/1254619

Summary
When external authentication is used with Keystone using the "ExternalDefault" plug-in, external usernames containing "@" characters are truncated at the "@" character before being mapped to a local Keystone user. This can result in separate external users mapping to the same local Keystone user, which could lead to user impersonation.

Affected Services / Software
Keystone, Havana

Discussion
When Keystone is run in the Apache HTTP Server, the webserver can handle authentication and pass the authenticated username to Keystone using the REMOTE_USER environment variable. External authentication behavior is handled by authentication plugins in Keystone. In the Havana release of OpenStack, if the external username provided in the REMOTE_USER environment variable contains an "@" character Keystone will only use the portion preceding the "@" character as the username when using the "ExternalDefault" authentication plugin. This results in the ability for multiple unique external usernames to map to the same single username in Keystone. For example, the external usernames "jdoe@example1.com" and "jdoe@example2.com" would both map to the Keystone user "jdoe". This behavior could potentially be abused to allow one to impersonate another similarly named external user.

Keystone in OpenStack releases prior to Havana uses the entire value contained in the REMOTE_USER environment variable, so those versions are not vulnerable to this impersonation issue.

Recommended Actions
If the "ExternalDefault" plugin is being used for external authentication in the Havana release, you should ensure that external usernames do not contain "@" characters unless you want to collapse similarly named external users into a single user on the Keystone side.

If your external usernames do contain "@" characters and you do not want to collapse similarly named external users into a single user on the Keystone side, you might be able to use the "ExternalDomain" plug-in. This plugin considers the portion of the external username that follows an "@" character to be the domain that the user belongs to in Keystone. This allows similarly named external users to map to separate Keystone users if the portion of the external username that follows an "@" character maps to a Keystone domain name. To configure the "ExternalDomain" authentication plugin, set the "external" parameter in the "[auth]" section of Keystone's keystone.conf as follows:

[auth] methods = external,password,token external = keystone.auth.plugins.external.ExternalDomain

If neither of the above recommendations work for your deployment, a custom authentication plugin can be created that uses the external username that contains an "@" character as-is.

Contacts / References

 * Nathan Kinder, Red Hat
 * This OSSN : https://bugs.launchpad.net/ossn/+bug/1254619
 * Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1254619
 * OpenStack Security ML : openstack-security@lists.openstack.org
 * OpenStack Security Group : https://launchpad.net/~openstack-ossg