On Tue, 2 Sept 2025, 01:03 Adrian Jarvis, <adrian.jarvis@catalystcloud.nz> wrote:
Hi,We are currently running Keystone Rocky and are upgrading through releases. As a result we have some time to before we get to Epoxy to put some migration of password hashes into place.I am working on a patch to check the password hash after the user has authenticated and to rehash the password if the hash is deprecated. I'm writing this against Train but is would be straight forward to add to later releases.Would others be interested in such a patch? I would be happy to submit it if there is.RegardsAdrian JarvisOn Tue, 2025-08-26 at 09:29 +0200, Dmitriy Rabotyagov wrote:> the only way for keyston to do this would be to wait for the user to auth and as a sideffect of thatt caluate a newer hash after they verify the users credentialsAnd that would be really a great way to do it from my prespective. Though, it would require at this point to:- re-implement sha512-crypt algorithm natively without passlib- backport to 2025.1- maintain it for couple of cycles to allow users to naturally login and update the hash> the SELECT query shows one less entryI realized there is an issue in this SQL query actually - I have not figured out the correct one so far though. And the issue is, that not all "non-expired" passwords are actually relevant ones for the user, so there has to be another JOIN. As current query may include also historical passwords for the user.> Is this approach reasonable to just switch the hashing algorithm and nothing else by simply setting the existing password againSure, if you know the password - setting the same password again for the user will work indeed.вт, 26 авг. 2025 г. в 09:02, Tobias Urdin - Binero <tobias.urdin@binero.com>:Thanks for the heads-up! :)/TobiasOn 25 Aug 2025, at 18:12, Dmitriy Rabotyagov <noonedeadpunk@gmail.com> wrote:Hey folks,I wanted to raise awareness of operators regarding Keystone upgrade to Epoxy (2025.1), as found that existing release notes are slightly more vague about corner case definition.During analysis, it appeared that a lot of users (and under "a lot" I mean 4 figures number) in my really old deployments (which were deployed during Newton), still in use passwords hashed with sha512_crypt which has been dropped in 2025.1 [1]. As this was referenced as a "corner case" in upgrade docs, it may not bring enough attention to this matter reading notes, while sha512_crypt removal is mentioned in "Other" section which I personally missed when analyzing upgrade requirements.So I would highly recommend to ensure that all your users are using supported hashing algorithms before the upgrade to Epoxy, and inform them to reset their passwords if they don't.You can list users who are using unsupported hashing algorithm using following MySQL query:SELECT distinct l_u.user_id FROM keystone.local_user AS l_u JOIN keystone.password AS hash ONl_u.id = hash.local_user_id WHERE (hash.password_hash LIKE '$6$%' OR hash.password_hash LIKE '$5$%') AND hash.expires_at i
s null;Hope this helps somebody to save some time in the future.--Adrian Jarvis
Developer Team Lead
Aotearoa New Zealand's cloud provider
e adrianjarvis@catalystcloud.nz
Level 6, Catalyst House, 150 Willis St, Wellington 6011
Confidentiality Notice: This email is intended for the named recipients only. It may contain privileged, confidential or copyright information. If you are not the named recipient, any use, reliance upon, disclosure or copying of this email or its attachments is unauthorised. If you have received this email in error, please reply via email or call +64 4 499 2267.