[Openstack-security] [Bug 1174499] Re: Keystone token hashing is MD5
Gary W. Smith
gary.w.smith at hp.com
Fri Aug 22 17:52:32 UTC 2014
Thanks Adam. Marking the horizon as low priority in keeping with the
priority of the other parts of this change, and due to the comments
above about its low risk (such as #6 and #7).
** Changed in: horizon
Status: New => Confirmed
** Changed in: horizon
Importance: Undecided => Low
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1174499
Title:
Keystone token hashing is MD5
Status in OpenStack Dashboard (Horizon):
Confirmed
Status in OpenStack Identity (Keystone):
Fix Released
Status in OpenStack API documentation site:
Confirmed
Status in Python client library for Keystone:
Fix Released
Bug description:
https://github.com/openstack/python-
keystoneclient/blob/master/keystoneclient/common/cms.py
def cms_hash_token(token_id):
"""
return: for ans1_token, returns the hash of the passed in token
otherwise, returns what it was passed in.
"""
if token_id is None:
return None
if is_ans1_token(token_id):
hasher = hashlib.md5()
hasher.update(token_id)
return hasher.hexdigest()
else:
return token_id
MD5 is a deprecated mechanism, it should be replaces with at least SHA1, if not SHA256.
Keystone should be able to support multiple Hash types, and the auth_token middleware should query Keystone to find out which type is in use.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1174499/+subscriptions
More information about the Openstack-security
mailing list