AuthTktAuthenticationPolicy using MD5 - pylons-devel

The old Google Groups will be going away soon, but your browser is incompatible with the new version.

« Groups Home

pylons-devel

Home

Discussions

+ new post

About this group

Join this group

Message from discussion AuthTktAuthenticationPolicy using MD5

Chris McDonough

View profile

More options Sep 9 2012, 11:45 am

From: Chris McDonough <chr...@plope.com>

Date: Sun, 09 Sep 2012 11:45:56 -0400

Local: Sun, Sep 9 2012 11:45 am

Subject: Re: AuthTktAuthenticationPolicy using MD5

Print | View thread | Show original | Report this message | Find messages by this author

On Sun, 2012-09-09 at 17:40 +0200, Domen Kožar wrote:
> According
> to https://github.com/gavincarr/mod_auth_tkt/blob/master/conf/02_auth_tk... and
> http://linux.die.net/man/3/mod_auth_tkt, mod_auth_tkt supports SHA256
> and SHA512 since version 2.1

> Relevant: https://bitbucket.org/ianb/paste/changeset/7f90a96378ed\

Cool. We should do something similar I guess.

> On Sun, Sep 9, 2012 at 4:56 PM, Chris McDonough <chr...@plope.com>
> wrote:
> On Sun, 2012-09-09 at 06:55 -0700, Florian Rüchel wrote:
> > I was getting interested in how Pyramid's authentication
> works and
> > looked through the commonly used AuthTktAuthenticationPolicy
> code. I
> > found out it uses MD5 and the only thing keeping the cookie
> from being
> > forged is the secret.

> > I see two different issues here:
> > First, MD5 is already known to have weaknesses and it would
> be a good
> > idea to have different algorithms available so they can be
> set. This
> > shouldn't be very hard to implement (I can write a patch if
> you
> > desire) and it can improve the security of any site.
> > Second, since everything depends on the single secret, I
> think it
> > should be documented better (communicated on at least the
> docstring
> > and the documentation) that the secret has to be strong
> (long, random,
> > maybe state a minimum length).

> It would be fine by me if we made it possible to change the
> hashing
> algorithm. But it probably needs to continue to support md5,
> because
> it's purpose is to be compatible with Apache mod_auth_tkt
> cookies. I
> would be happy to accept a patch that allowed folks to plug in
> a
> different hashing algorithm, and explain to them that if they
> do, it
> will no longer be compatible with those cookies.

> There are also existing options that can help make it stronger
> regardless of the hash, such as including the IP in the token,
> IIRC.

> - C

> --
> You received this message because you are subscribed to the
> Google Groups "pylons-devel" group.

> To post to this group, send email to
> pylons-devel@googlegroups.com.
> To unsubscribe from this group, send email to pylons-devel
> +unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/pylons-devel?hl=en.

> --
> You received this message because you are subscribed to the Google
> Groups "pylons-devel" group.
> To post to this group, send email to pylons-devel@googlegroups.com.
> To unsubscribe from this group, send email to pylons-devel
> +unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/pylons-devel?hl=en.

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy

Account Options