currently, original mod_auth_tkt supports also SHA256 and SHA 512 ,
not just plain MD5. Quoting:
The default is MD5, which is faster, but has now been shown to be
vulnerable to collision attacks. Such attacks are not directly
applicable to mod_auth_tkt, which primarily relies on the security
of the shared secret rather than the strength of the hashing scheme.
More paranoid users will probably prefer to use one of the SHA digest
The default is likely to change in a future version, so setting the
digest type explicitly is encouraged.
I've made a modification to Paste's auth_tkt auth module to allow
overriding of default MD5 digest:
Is the proposed change likely to be accepted?
I am CC'ing repoze-dev as repoze.who.plugins.auth_tkt could also
benefit from this change (is the change integration-ready?).
Update (based Ian's comments):
The algorithm can also be specified as a string referring to the
algorithm known to hashlib (otherwise AttributeError will be raised).
The new version:
https://bitbucket.org/jnpkrn/paste/changeset/69404df8a13d (branch v2)
Any more comments or is it ready for pull request?