[Openstack-security] [Bug 1543048] Re: support alternative password hashing in keystone

OpenStack Infra 1543048 at bugs.launchpad.net
Fri Jun 2 12:20:43 UTC 2017 

Reviewed:  https://review.openstack.org/438701
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8ad765e0230ceeb5ca7c36ec3ed6d25c57b22c9d
Submitter: Jenkins
Branch:    master

commit 8ad765e0230ceeb5ca7c36ec3ed6d25c57b22c9d
Author: Morgan Fainberg <morgan.fainberg at gmail.com>
Date:   Mon Feb 27 13:06:07 2017 -0800

    Support new hashing algorithms for securely storing password hashes
    
    Support bcrypt, pbkdf2_sha512, or scrypt in password hashing for
    passwords managed within keystone. sha512_crypt is insufficient to
    hash passwords in a secure way for storage in the DB. Keystone defaults
    now to using bcrypt but can handle scrypt and pbkdf2_sha512 with a number
    of tuning options if desired.
    
    Closes-bug: #1543048
    Closes-bug: #1668503
    Change-Id: Id05026720839d94de26d0e44631deb34bcc0e610


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1543048

Title:
  support alternative password hashing in keystone

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Once upon a time there was bug #862730 recommending that alternative
  password hashing be supported which was closed as invalid since
  hashing became base-line feature of Keystone's passwords. It would be
  generally beneficial to support at the very least the passlib
  implementation of bcrypt as an alternative to strictly sha512 based
  password hashing. Ideally this should also take into account the
  relatively new player scrypt.

  NIST has standardized (afaict) on the SHA-2 based hashing, which
  should remain the default. Architecture that will support some
  different password hashing made available at least through passlib
  will make keystone better in the long term, allowing for operators to
  determine more than just the SHA-2 based cost.

  The proposal is as follows:

    * Allow selected support of different password hashing algorithms
  from with passlib architecturally

    * Expand to support bcrypt

    * Deprecate the "crypt_strength" option in favor of identifying the
  cost when selecting the password hashing algorithm such as:
  sha512::10000 or bcrypt::12

    * Keep the default the same as today

    * Identify the password hash based upon the algorithm used, no
  identifier = sha512 (this might not be required)

    * Add "py-bcrypt" or similar "preferred" backend(s) to extras in
  setup.cfg

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1543048/+subscriptions

More information about the Openstack-security mailing list