On Sun, 2012-09-09 at 17:40 +0200, Domen Kožar wrote: > According > to > https://github.com/gavincarr/mod_auth_tkt/blob/master/conf/02_auth_tkt.conf > and > http://linux.die.net/man/3/mod_auth_tkt, mod_auth_tkt supports SHA256 > and SHA512 since version 2.1 > > > Relevant: https://bitbucket.org/ianb/paste/changeset/7f90a96378ed\
Cool. We should do something similar I guess. > > On Sun, Sep 9, 2012 at 4:56 PM, Chris McDonough <chr...@plope.com> > wrote: > On Sun, 2012-09-09 at 06:55 -0700, Florian Rüchel wrote: > > I was getting interested in how Pyramid's authentication > works and > > looked through the commonly used AuthTktAuthenticationPolicy > code. I > > found out it uses MD5 and the only thing keeping the cookie > from being > > forged is the secret. > > > > I see two different issues here: > > First, MD5 is already known to have weaknesses and it would > be a good > > idea to have different algorithms available so they can be > set. This > > shouldn't be very hard to implement (I can write a patch if > you > > desire) and it can improve the security of any site. > > Second, since everything depends on the single secret, I > think it > > should be documented better (communicated on at least the > docstring > > and the documentation) that the secret has to be strong > (long, random, > > maybe state a minimum length). > > > > > It would be fine by me if we made it possible to change the > hashing > algorithm. But it probably needs to continue to support md5, > because > it's purpose is to be compatible with Apache mod_auth_tkt > cookies. I > would be happy to accept a patch that allowed folks to plug in > a > different hashing algorithm, and explain to them that if they > do, it > will no longer be compatible with those cookies. > > There are also existing options that can help make it stronger > regardless of the hash, such as including the IP in the token, > IIRC. > > - C > > > -- > You received this message because you are subscribed to the > Google Groups "pylons-devel" group. > > To post to this group, send email to > pylons-devel@googlegroups.com. > To unsubscribe from this group, send email to pylons-devel > +unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/pylons-devel?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google > Groups "pylons-devel" group. > To post to this group, send email to pylons-devel@googlegroups.com. > To unsubscribe from this group, send email to pylons-devel > +unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/pylons-devel?hl=en. -- You received this message because you are subscribed to the Google Groups "pylons-devel" group. To post to this group, send email to pylons-devel@googlegroups.com. To unsubscribe from this group, send email to pylons-devel+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-devel?hl=en.
