[openstack-dev] Keystone Hashing MD5 to SHA256

Tristan Cacqueray tristan.cacqueray at enovance.com
Mon Jan 6 16:00:33 UTC 2014

On 01/06/2014 04:19 PM, Adam Young wrote:
> Dirk,
> If it were as  easy as just replaceing hteh hash algorithm, we would
> have done it a year + ago.  I'm guessing you figured that by now.
> Here is the deal:  We need to be able to make things work side by side. 
> Not sure how to do that, but I think the right solution is to make
> keystone configurable first, so that you can set the hashing algorithm
> in the config file, and that python-keystoneclient should be able to
> handle both.  Since the PKC  doesn't tend to talk to multiple Keystones,
> that should probably be sufficient.
> In the future, Keystones  need to be advertise, somehow, what Hashing
> algorithm it uses.  It probably can/should stick that data in the token.
> Thoughts?

Hello list!

How about we prefix the hash with the chosen algorithm, like the glibc
crypt method (ie: $id$hash) ? No prefix would mean the former md5.

This would allow a smooth migration as multiple hash algorithm could be
used simultaneously and keystone wouldn't have to announce what
algorithm it uses...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140106/7bdfeab0/attachment.pgp>

More information about the OpenStack-dev mailing list