external.Default authentication plugin only considers leftmost part of the REMOTE_USER split by "@"

Trying to determine whether this merits an advisory... can you expand on your scenario above? When you suggest "an external
plugin that uses the email as the username" is this common/recommended practice? Also, what releases contain code vulnerable to this?

Hi Jeremy.

I will update the description of the patch with more information right now.

Updated. If you need further information, please do not hesitate to ask.

It sounds like this is probably a surprising enough result that fixing it merits a security advisory, and potentially exploitable so should remain embargoed until then (the security impact of https://review.openstack.org/50362 seems sufficiently opaque such that I don't think it gives away this issue). Does anyone disagree?

@fungi -

Will the fact that a core contributor -1'd this patch for compatibility issues make this difficult to get through without publicly disclosing the reasons why the fix is needed?

It's entirely possible that a more targeted security fix could be
needed to address this, independent of (or in place of)
https://review.openstack.org/50362 but hopefully Dolph and other
Keystone developers will be able to make that determination.

Not totally convinced about this one. If I understand correctly, this is about username mapping -- if Keystone is configured to rely on REMOTE_USER to give it usernames, it will consider REMOTE_USERs john and john@* to all point to the same Keystone user "john".

If properly documented, that could be seen as a feature. If not, that could be seen as a bug (you have no way to access Keystone user john@* in a REMOTE_USER-enabled setup). If it's a bug, it has some potential security impact that we should document, but I could go with OSSN + fix in next, especially if the fix ends up breaking existing setups actually *relying* on the mapping.

@ttx -

Hi Tierry. Thanks for your comments, but I have to disagree with you.

First of all, the only documented behavior is for the V2 API [1], where the
REMOTE_USER variable contains the username of the authenticated user. A site
administrator with a working configuration for the V2 would assume for sure
that this is the behavior for the V3 as well, but this is not true. If
somebody has configured an external authentication mechanism that relies in
the user emails as the usernames in V2, and has moved this to V3 he will be
affected by this.

[1] http://docs.openstack.org/developer/keystone/external-auth.html#using-httpd-authentication

Secondly, this behavior goes against the semantics of the REMOTE_USER env
variable in WSGI: "REMOTE_USER: This should be the string username of the
user, nothing more." [2]. A site admin reading the documentation [1] and with
the semantics of the REMOTE_USER in mind would configure its installation so
that the usernames are passed down in the REMOTE_USER env variable, and those
userames are then created in Keystone. This way, "<email address hidden>",
"<email address hidden>" and "john" are three different users. The two former will
be authenticated externally, and the later locally, but this is not the case.

[2] http://wsgi.readthedocs.org/en/latest/specifications/simple_authentication.html#specification

In third place, this renders unusable the external authentication for
usernames containing an "@". For example, X.509 certificates can contain the
email address of the user (or even of the CA) in the subject. Therefore this
certificate DN:

    /DC=org/DC=example/O=whatever/CN=alvaro <email address hidden>

Will break into:

    /DC=org/DC=example/O=whatever/CN=alvaro alvaro

I agree that the second and third aspects are only a bug, but from my
perspective of a resource provider that has been using external authentication
since V2, the first one has a clear security impact.

> If it's a bug, it has some potential security impact that we should document,
> but I could go with OSSN + fix in next, especially if the fix ends up breaking
> existing setups actually *relying* on the mapping.

The external authentication behavior for the V3 has been already broken
between the releases. The support shipped with Grizzly behaves completely
different than the Havana one (therefore the compatibility was broken between
releases). If somebody is using an "@" inside their REMOTE_USERs, it is already
broken (it's not only emails, but LDAP dns, X509 subject names, etc).

BTW, should I add the Closes-Bug in the commit message of the patchset that fixes this?

For embargoed security vulnerabilities, a vulnerability management team member will end up submitting the patches to fix it in all affected branches at the time we release an accompanying advisory. When we do that, we generally set the Closes-Bug header in each commit message accordingly.

But that's jumping ahead a bit... first we need Keystone security reviewers to confirm the reported vulnerability and look at any proposed patches to address it (which should only be distributed by attaching them to this bug, if they agree that it should remain embargoed).

Splitting REMOTE_USER by '@' and discarding anything strikes me as a non-existent use case to begin with (this just looks broken). If there is no use case for this behavior, this bug is effectively embargoed from a non-existent set of users. I'm working to corroborate or contradict this suspicion if possible.

Yeah, I'm still not convinced this is actually exploitable, even by accident. It looks like the buggy user mapping would always end up in accidental access denying rather than accidental access allowance...

Alvaro: could you describe a scenario where this bug can be exploited for profit by an attacker ?

@ttx:

The buggy mapping will finish in an access denial if there is no other user with that username in the local backend. If by chance you have in your local backend a user "john" and an external user "<email address hidden>" (as shown above) this is exploitable (this is a corner case, but it is still possible).

In V2 you could have "john", "<email address hidden>" (authenticated externally), "<email address hidden> "(also externally) and so on, and all of them were different users. If you were using this in V2 and you switch to using V3, the two later John's would get the former's credentials.

The security impact is low (too many variables are involved), but it exists (maybe a OSSN is enough, but I let it to the experts).

On the other hand (this is regarding the bug), the REMOTE_USER should not be splited at all and it should be considered as the username for the user that authenticated upstream, without further modifications (as V2 external did).

Alvaro: thx, that sounds like a valid case to me...
Dolph: do you agree we should cover this as a security vulnerability ?

After talking to Adam Young, I still don't see any utility in splitting REMOTE_USER and discarding half the value. We do agree that it should be fixed in master & havana to match grizzly's behavior of using the entire REMOTE_USER value as a username in the default domain.

So, I'd like to fix this bug in the open but I do think it makes sense to issue an OSSN regarding the potential risk in attempting to use Havana's broken behavior. I'd also like to piggyback the OSSN email asking for deployer feedback on the fix itself, before it merges.

Alvaro: Is it okay with you if we make this public and fix it as a security hardening bug?

@fungi: Yes, it is ok for me.

@Dolhp: This is what https://review.openstack.org/#/c/50362/ did in patchset 24 that was -2ed for breaking backwards compatibility.

@dolph: Regarding the feedback, with my deployer hat on I find it important to get it coherent between V2 and V3: i.e. not touching REMOTE_USER at all and use it entirely as the username, regardless of using the default domain or not (as it was done for V2). There are other means of passing down the domain to Keystone (for example in another env variable).

The reasons are various: it is difficult to maintain both V2 and V3 at the same time (even if V2 is going to be deprecated); it is harder to configure when using just an http server for authentication (and not using a WSGI filter) and it is not the expected behavior when comparing against other applications (not to say that this was not the behavior with V2)

Assuming that backwards compatibility will be broken for this fix: why is it needed to append domain information to the REMOTE_USER? Why not just using an additional variable to pass down this value?

Adding ossn team as they might want to address this in a security note...

I think it makes sense to release an OSSN for this. I'll work on writing it up.

(replying mostly for posterity as I think this conversation took place in other venues)

@Alvaro: agree completely. Adam Young has lifted his -2 to make exactly that happen. Regarding backwards compatibility, we should actually be restoring it vs grizzly, not breaking it in this bug fix. The bug fix itself will restore the behavior of master and stable/havana to be compatible with that of stable/grizzly... which should provide an easy migration path from stable/grizzly forward, eliminating the ops pain.

So I assume that I should remove the LegacyDomain and LegacyDefaultDomain from the patchest, don't I?

Alvaro- refer to the code review

I've finished a draft of the OSSN for this issue. It's still unclear exactly what the fix (if any) is going to be for a Havana update, so the OSSN doesn't mention anything about potential future changes. The OSSN draft follows below.

-------------------------------------------------------------------------------------------------------------------------

Keystone can allow user impersonation when using REMOTE_USER for external authentication.
---

### Summary ###
When external authentication is used with Keystone using the "ExternalDefault" plug-in, external usernames containing "@" characters are truncated at the "@" character before being mapped to a local Keystone user. This can result in separate external users mapping to the same local Keystone user, which could lead to user impersonation.

### Affected Services / Software ###
Keystone, Havana

### Discussion ###
When Keystone is run in Apache HTTP Server, the webserver can handle authentication and pass the authenticated username to Keystone using the REMOTE_USER environment variable. External authentication behavior is handled by authentication plugins in Keystone. In the Havana release of OpenStack, if the external username provided in the REMOTE_USER environment variable contains an "@" character Keystone will only use the portion preceding the "@" character as the username when using the "ExternalDefault" authentication plugin. This results in the ability for multiple unique external usernames to map to the same single username in Keystone. For example, the external usernames "<email address hidden>" and "<email address hidden>" would both map to the Keystone user "jdoe". This behavior could potentially be abused to allow one to impersonate another similarly named external user.

Keystone in OpenStack releases prior to Havana uses the entire value contained in the REMOTE_USER environment variable, so those versions are not vulnerable to this impersonation issue.

### Recommended Actions ###
If the "ExternalDefault" plugin is being used for external authentication in the Havana release, you should ensure that external usernames do not contain "@" characters unless you want to collapse similarly named external users into a single user on the Keystone side.

If your external usernames do contain "@" characters and you do not want to collapse similarly named external users into a single user on the Keystone side, you might be able to use the "ExternalDomain" plug-in. This plugin considers the portion of the external username that follows an "@" character to be the domain that the user belongs to in Keystone. This allows similarly named external users to map to separate Keystone users if the portion of the external username that follows an "@" character maps to a Keystone domain name. To configure the "ExternalDomain" authentication plugin, set the "external" parameter in the "[auth]" section of Keystone's keystone.conf as follows:

---- begin example keystone.conf snippet ----
[auth]
methods = external,password,token,oauth1
external = keystone.auth.plugins.external.ExternalDomain
---- end example keystone.conf snippet ----

If neither of the above recommendations work for your deploy...

Reviewed: https://review.openstack.org/50362
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1889ff207561c57587384063d61ef0b6f78457c4
Submitter: Jenkins
Branch: master

commit 1889ff207561c57587384063d61ef0b6f78457c4
Author: Alvaro Lopez Garcia <email address hidden>
Date: Tue Oct 8 11:08:42 2013 +0200

    Fix external auth (REMOTE_USER) plugin support

    According to the WSGI specification "REMOTE_USER should be the string
    username of the user, nothing more" [1], therefore no modifications
    should be made to the REMOTE_USER variable and it should be fully
    considered as the username. Otherwise the expected semantics of the
    REMOTE_USER variable change, and an site administrator could get
    undesirable side-effects.

    [1] http://wsgi.readthedocs.org/en/latest/specifications/simple_authentication.html#specification

    Moreover, it is important to have a consistent behaviour regarding
    external authentication in V2 (not domain aware), V3 with default
    domain and V3 with domain (see Bug #1253484) so that we produce similar
    results with the three methods.

    This change aims to solve this issues by removing the split of the
    REMOTE_USER variable by "@" at all:

    - In external.DefaultDomain, we cannot split REMOTE_USER by "@". This split
      will cause errors for remote users containing an "@" (not only
      emails, but also X.509 subjects, etc). The external.DefaultDomain plugin
      considers the REMOTE_USER variable as the username, and the configured
      default domain as the domain

    - In external.Domain we should not split also the REMOTE_USER by "@". A
      new environment variable (REMOTE_DOMAIN) is introduced, so that any
      external plugin can pass down the right domain for the user. The
      external.Domain plugin considers the REMOTE_USER as the username, the
      REMOTE_DOMAIN as the domain if it is present, otherwise it takes the
      configured default domain.

    - Two legacy plugins are also provided with the same behaviour as the
      Havana shipped ones. This plugins should not be used and are provided
      for compatibility reasons (see Bug #1254619)

    Closes-Bug: #1254619
    Closes-Bug: #1211233
    Closes-Bug: #1253484

    DocImpact: This change breaks backwards compatibility in favour of
    security (see bug #1254619), therefore an upgrade not is needed. It is
    needed to document the new plugins and state clearly the semantics of
    the REMOTE_USER and REMOTE_DOMAIN variable for the WSGI filters. The
    default external authentication plugin has been changed from
    exernal.ExternalDefault to external.Default.

    Change-Id: I1b2521a526fa976146dfe2fcf4d4c1851416d8ae

+1 for OSSN in comment #24

Two thoughts on the OSSN:

"When Keystone is run in Apache HTTP Server" isn't this normally described as running Keystone "behind" apache?

We probably shouldn't use Oauthv1 in our configuration snippet as it's not without it's own security considerations.

Otherwise looks good to me :)

> "When Keystone is run in Apache HTTP Server" isn't this normally described as running Keystone "behind" apache?

Keystone is actually run as a child of the httpd process by using mod_wsgi, so I think "in Apache HTTP Server" is appropriate here.

> We probably shouldn't use Oauthv1 in our configuration snippet as it's not without it's own security considerations.

I can pull this out. It was in the default config on my Havana RDO install, so I was simply using the default config in the example.

Published the following OSSN to the openstack and openstack-dev mailing lists:

-----------------------------------------------------------------

Keystone can allow user impersonation when using REMOTE_USER for
external authentication
---

### Summary ###
When external authentication is used with Keystone using the
"ExternalDefault" plug-in, external usernames containing "@"
characters are truncated at the "@" character before being mapped to a
local Keystone user. This can result in separate external users
mapping to the same local Keystone user, which could lead to user
impersonation.

### Affected Services / Software ###
Keystone, Havana

### Discussion ###
When Keystone is run in the Apache HTTP Server, the webserver can
handle authentication and pass the authenticated username to Keystone
using the REMOTE_USER environment variable. External authentication
behavior is handled by authentication plugins in Keystone. In the
Havana release of OpenStack, if the external username provided in the
REMOTE_USER environment variable contains an "@" character Keystone
will only use the portion preceding the "@" character as the username
when using the "ExternalDefault" authentication plugin. This results
in the ability for multiple unique external usernames to map to the
same single username in Keystone. For example, the external usernames
"<email address hidden>" and "<email address hidden>" would both map to the
Keystone user "jdoe". This behavior could potentially be abused to
allow one to impersonate another similarly named external user.

Keystone in OpenStack releases prior to Havana uses the entire value
contained in the REMOTE_USER environment variable, so those versions
are not vulnerable to this impersonation issue.

### Recommended Actions ###
If the "ExternalDefault" plugin is being used for external
authentication in the Havana release, you should ensure that external
usernames do not contain "@" characters unless you want to collapse
similarly named external users into a single user on the Keystone side.

If your external usernames do contain "@" characters and you do not
want to collapse similarly named external users into a single user on
the Keystone side, you might be able to use the "ExternalDomain"
plug-in. This plugin considers the portion of the external username
that follows an "@" character to be the domain that the user belongs
to in Keystone. This allows similarly named external users to map to
separate Keystone users if the portion of the external username that
follows an "@" character maps to a Keystone domain name. To configure
the "ExternalDomain" authentication plugin, set the "external"
parameter in the "[auth]" section of Keystone's keystone.conf as follows:

---- begin example keystone.conf snippet ----
[auth]
methods = external,password,token
external = keystone.auth.plugins.external.ExternalDomain
---- end example keystone.conf snippet ----

If neither of the above recommendations work for your deployment, a
custom authentication plugin can be created that uses the external
username that contains an "@" character as-is.

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1254619
Original LaunchPa...