Nike-Inc / gimme-aws-creds

A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
Apache License 2.0
925 stars 263 forks source link

Repeated Okta Lockouts after password change with a keyring password #295

Open JRichlen opened 3 years ago

JRichlen commented 3 years ago

gimme-aws-creds when configured to use the password from the keyring will automatically retry getting aws creds using an old password after a failed attempt. Okta is configured to lockout a user after a number of failed password attempts and requires a password change at defined intervals (every few months).

Expected Behavior

I expect an expired password to not be attempted more than once. After a failed login attempt I'd expect a prompt for a password to update the keyring instead of automatically attempting login again with an expired password.

Even if updating the keyring isn't possible, I'd at least expect a way to turn off automatic retries to stop it from using the keyring password repeatedly to cause okta lockouts after a routine password change.

Current Behavior

With an expired password in the keyring, gimme-aws-creds attempts to make multiple login attempts triggering a lockout on the okta account. This is a common security configuration to prevent brute force password cracking.

Possible Solution

Add a setting to turn automatic retries with keyring off.

Or

Make it prompt for a password after a failed attempt, and update the keyring with the new password.

Steps to Reproduce (for bugs)

This requires okta to be setup to allow 5 or less incorrect password entries before locking an account.

  1. run gimme-aws-creds and save password to keyring
  2. change okta password
  3. run gimme-aws-creds again using the keyring password
  4. gimme-aws-creds should fail and account should be locked

Context

A complete productivity blocker when it locks us out of every application that uses okta for authentication.

The only current workaround is remembering to manually changing/delete the password in the keychain whenever a password is changed.

Your Environment

notjames commented 9 months ago

Also, provide a command line option to force clear the wallet and re-prompt for new password. I'm currently running into this problem. Despite the fact that gimme-aws-creds says it's clearing the stored password, it's clearly NOT clearing the stored password (just checked -- kwallet) and I'm getting locked out of okta for these attempts.

Sharashchandra commented 2 weeks ago

Any updates on this? I just got locked out of my okta account because of this

yermulnik commented 2 weeks ago

Plus one for visibility (despite plus-ones are discouraged usually).