User retains active session after its password is changed by an admin
This document (000021604) is provided subject to the disclaimer at the end of this document.
Environment
- Rancher 2.8.x
- Rancher 2.9.x
Situation
If an admin changes the password of a user while said user has an active session, the user can continue to use its session without needing to re-login.
This scenario results on any active session for that user to remain active, even though the password has changed. If the password change was triggered due to the account being compromised, the administrator has no way to invalidate the active sessions, therefore the malicious user retains access until their session expires.
Resolution
Admins can delete session tokens for that particular user themselves.
kubectl get token \-o custom-columns=":metadata.name" \-l authn.management.cattle.io/kind=session,authn.management.cattle.io/token-userId=<user name> \| xargs kubectl delete token
The manual remediation above force user sessions to be invalidated, for both local auth and external auth providers.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021604
- Creation Date: 29-Oct-2024
- Modified Date:01-Nov-2024
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
