According to https://github.com/gavincarr/mod_auth_tkt/blob/master/conf/02_auth_tkt.conf and http://linux.die.net/man/3/mod_auth_tkt, mod_auth_tkt supports SHA256 and SHA512 since version 2.1
Relevant: https://bitbucket.org/ianb/paste/changeset/7f90a96378ed On Sun, Sep 9, 2012 at 4:56 PM, Chris McDonough <chr...@plope.com> wrote: > On Sun, 2012-09-09 at 06:55 -0700, Florian Rüchel wrote: > > I was getting interested in how Pyramid's authentication works and > > looked through the commonly used AuthTktAuthenticationPolicy code. I > > found out it uses MD5 and the only thing keeping the cookie from being > > forged is the secret. > > > > I see two different issues here: > > First, MD5 is already known to have weaknesses and it would be a good > > idea to have different algorithms available so they can be set. This > > shouldn't be very hard to implement (I can write a patch if you > > desire) and it can improve the security of any site. > > Second, since everything depends on the single secret, I think it > > should be documented better (communicated on at least the docstring > > and the documentation) that the secret has to be strong (long, random, > > maybe state a minimum length). > > > > It would be fine by me if we made it possible to change the hashing > algorithm. But it probably needs to continue to support md5, because > it's purpose is to be compatible with Apache mod_auth_tkt cookies. I > would be happy to accept a patch that allowed folks to plug in a > different hashing algorithm, and explain to them that if they do, it > will no longer be compatible with those cookies. > > There are also existing options that can help make it stronger > regardless of the hash, such as including the IP in the token, IIRC. > > - C > > > -- > You received this message because you are subscribed to the Google Groups > "pylons-devel" group. > To post to this group, send email to pylons-devel@googlegroups.com. > To unsubscribe from this group, send email to > pylons-devel+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/pylons-devel?hl=en. > > -- You received this message because you are subscribed to the Google Groups "pylons-devel" group. To post to this group, send email to pylons-devel@googlegroups.com. To unsubscribe from this group, send email to pylons-devel+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-devel?hl=en.
