Open JRichlen opened 3 years ago
Also, provide a command line option to force clear the wallet and re-prompt for new password. I'm currently running into this problem. Despite the fact that gimme-aws-creds
says it's clearing the stored password, it's clearly NOT clearing the stored password (just checked -- kwallet) and I'm getting locked out of okta for these attempts.
Any updates on this? I just got locked out of my okta account because of this
Plus one for visibility (despite plus-ones are discouraged usually).
gimme-aws-creds
when configured to use the password from the keyring will automatically retry getting aws creds using an old password after a failed attempt. Okta is configured to lockout a user after a number of failed password attempts and requires a password change at defined intervals (every few months).Expected Behavior
I expect an expired password to not be attempted more than once. After a failed login attempt I'd expect a prompt for a password to update the keyring instead of automatically attempting login again with an expired password.
Even if updating the keyring isn't possible, I'd at least expect a way to turn off automatic retries to stop it from using the keyring password repeatedly to cause okta lockouts after a routine password change.
Current Behavior
With an expired password in the keyring, gimme-aws-creds attempts to make multiple login attempts triggering a lockout on the okta account. This is a common security configuration to prevent brute force password cracking.
Possible Solution
Add a setting to turn automatic retries with keyring off.
Or
Make it prompt for a password after a failed attempt, and update the keyring with the new password.
Steps to Reproduce (for bugs)
This requires okta to be setup to allow 5 or less incorrect password entries before locking an account.
gimme-aws-creds
and save password to keyringgimme-aws-creds
again using the keyring passwordgimme-aws-creds
should fail and account should be lockedContext
A complete productivity blocker when it locks us out of every application that uses okta for authentication.
The only current workaround is remembering to manually changing/delete the password in the keychain whenever a password is changed.
Your Environment