auth_tkt: enable overriding digest algorithms

14 views
Skip to first unread message

Jan Pokorný

unread,
Mar 2, 2012, 8:48:18 AM3/2/12
to paste...@googlegroups.com, repoz...@lists.repoze.org
Hello,

currently, original mod_auth_tkt supports also SHA256 and SHA 512 [1],
not just plain MD5. Quoting:

----v----
The default is MD5, which is faster, but has now been shown to be
vulnerable to collision attacks. Such attacks are not directly
applicable to mod_auth_tkt, which primarily relies on the security
of the shared secret rather than the strength of the hashing scheme.
More paranoid users will probably prefer to use one of the SHA digest
types, however.

The default is likely to change in a future version, so setting the
digest type explicitly is encouraged.
----^----

I've made a modification to Paste's auth_tkt auth module to allow
overriding of default MD5 digest:

https://bitbucket.org/jnpkrn/paste/changeset/5499c61eb27f

Is the proposed change likely to be accepted?

I am CC'ing repoze-dev as repoze.who.plugins.auth_tkt could also
benefit from this change (is the change integration-ready?).

[1] http://linux.die.net/man/3/mod_auth_tkt

Thanks,
Jan

Jan Pokorný

unread,
Mar 5, 2012, 3:24:32 PM3/5/12
to paste...@googlegroups.com, repoz...@lists.repoze.org, ianbi...@gmail.com
On 02/03/12 14:48 +0100, Jan Pokorn� wrote:
>Hello,
>
>currently, original mod_auth_tkt supports also SHA256 and SHA 512 [1],
>not just plain MD5. Quoting:
>
>----v----
>The default is MD5, which is faster, but has now been shown to be
>vulnerable to collision attacks. Such attacks are not directly
>applicable to mod_auth_tkt, which primarily relies on the security
>of the shared secret rather than the strength of the hashing scheme.
>More paranoid users will probably prefer to use one of the SHA digest
>types, however.
>
>The default is likely to change in a future version, so setting the
>digest type explicitly is encouraged.
>----^----
>
>I've made a modification to Paste's auth_tkt auth module to allow
>overriding of default MD5 digest:
>
>https://bitbucket.org/jnpkrn/paste/changeset/5499c61eb27f
>

Update (based Ian's comments):
The algorithm can also be specified as a string referring to the
algorithm known to hashlib (otherwise AttributeError will be raised).

The new version:
https://bitbucket.org/jnpkrn/paste/changeset/69404df8a13d (branch v2)

Any more comments or is it ready for pull request?

Reply all
Reply to author
Forward
0 new messages