- **summary**: support newer pwd hashs, remove deprecated 'crypt' --> support newer pwd hashs, remove deprecated 'crypt' AUTH PLUGIN CHANGES - **Comment**:
allura:db/8566 QA: After switching to this branch, you should be able to log in as a user, and then see that the password automatically got re-hashed with the new preferred algorithm. There are breaking AuthenticationProvider plugin changes, for any custom Auth implementations: - `set_password` takes a `set_timestamp=True` which should be checked before setting user.last_password_updated - rename `def validate_password` to `def _validate_password` since the base class implements a high-level `validate_password` now - when creating a User record, should set `password_algorithm` field - if code does password validation directly (e.g. ldap's `_login`) it now should call `self.rehash_password_if_needed` too --- **[tickets:#8566] support newer pwd hashs, remove deprecated 'crypt' AUTH PLUGIN CHANGES** **Status:** in-progress **Milestone:** unreleased **Created:** Tue Jul 02, 2024 07:42 PM UTC by Dave Brondsema **Last Updated:** Tue Jul 02, 2024 07:42 PM UTC **Owner:** Dave Brondsema our LDAP plugin's password handling uses `crypt` which is deprecated since 3.11 and removed in 3.13 https://docs.python.org/3/library/crypt.html crypt only supports a few algorithms anyway, it'd be good to support argon2, scrypt, bcrypt, pbkdf2_sha512 local password storage does sha256 and definitely should be updated. Similar/same config options for local & ldap hashing? https://passlib.readthedocs.io/en/stable/ seems pretty good and supports a lot of algorithms, but it isn't maintained the best :( If an admin configures a new password hashing algorithm, we should make it be a seamless transition, including when someone logs in to re-hash the password, when needed. --- Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
