--
You received this message because you are subscribed to the Google Groups "pylons-devel" group.
To post to this group, send email to pylons...@googlegroups.com.
To unsubscribe from this group, send email to pylons-devel...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pylons-devel?hl=en.
To unsubscribe from this group, send email to pylons-devel...@googlegroups.com.
I dislike md5 as much as the next guy, but auth_tkt uses a double hashing scheme that is almost hmac. Hmac overcomes most of the problems of an otherwise weak hash function. It isn't as bad as you might think.
The sha2 functions are a great replacement. Sha2 auth_tkt is what I would use. Sha1 is discouraged these days. You don't need bcrypt because the secret you are protecting is very long. Password hashing functions are not MACs.
uuids make good auth_tkt secrets.
Florian: do you plan to provide a patch?
--
You received this message because you are subscribed to the Google Groups "pylons-devel" group.
To view this discussion on the web visit https://groups.google.com/d/msg/pylons-devel/-/OUp_z4YLZLAJ.
Clearly in that case you are on your own.
Additionally you could provide help on how to generate such a secret (but that's extra candy). I have looked through various parts of the documentation and it is always set to something like 'seekrit' and similar, but it is never mentioned how to make sure that this is secure.
--
You received this message because you are subscribed to the Google Groups "pylons-devel" group.
To view this discussion on the web visit https://groups.google.com/d/msg/pylons-devel/-/4dxNXUSoAPAJ.
--
You received this message because you are subscribed to the Google Groups "pylons-devel" group.
How about a script that's part of the framework itself? We have pserve,
pcreate... how about
pkeygen [-w <filename>]
or
pyramid-keygen [-w <filename>]
--
You received this message because you are subscribed to the Google Groups "pylons-devel" group.
To view this discussion on the web visit https://groups.google.com/d/msg/pylons-devel/-/y-mh0zjghJIJ.
On Sun, 2012-09-23 at 05:54 -0700, Florian Rüchel wrote:
>
> How about a script that's part of the framework itself? We
> have pserve,
> pcreate... how about
>
> pkeygen [-w <filename>]
>
> or
>
> pyramid-keygen [-w <filename>]
>
> I like this idea very much. I would like to either get this usage
> approved or I would just build a simple function inside pyramid.
> However, such a function belongs more into an installation than into
> application code. Can you tell me how to build such a script that runs
> on both Windows and Linux? I would like to see it implemented in this
> way if Chris approves.
Who will use it and when would they use it?
> On a seperate note: I have started on improving the documentation. As
> a first step, I have edited the `narr/authentication.rst` to include a
> note and have documented the API for
> `pyramid.authentication.AuthTktAuthenticationPolicy` (better
> documentation for secret, add documentation for hashalg). My question
> is now how would you handle this in regards to the documentation. I
> thought about adding this (or a similar) note everywhere this policy
> is used. This should raise the awareness everywhere the docs are read
> (e.g. tutorials). Furthermore, since we would clearly recommend to use
> something like SHA256 if MD5 is not explicitly needed, should we
> change the code examples to include a better hashalg (instead of just
> documenting it)? I would vote for a yes, since I don't see any
> disadvantage: If you build a new application, you should always use
> another algorithm and as shown above mod_auth_tkt can also easily
> handle other algorithms if configured correctly.
I didn't know we already had a mergeable patch for the hashalg stuff.
The last patch I saw seemed maybe a little overwrought. Until we figure
that out, I'd hold off on changing docs.
- C
--
You received this message because you are subscribed to the Google Groups "pylons-devel" group.
To view this discussion on the web visit https://groups.google.com/d/msg/pylons-devel/-/M3T4DuD1fKwJ.