currently, original mod_auth_tkt supports also SHA256 and SHA 512 ,
not just plain MD5. Quoting:
The default is MD5, which is faster, but has now been shown to be
vulnerable to collision attacks. Such attacks are not directly
applicable to mod_auth_tkt, which primarily relies on the security
of the shared secret rather than the strength of the hashing scheme.
More paranoid users will probably prefer to use one of the SHA digest
The default is likely to change in a future version, so setting the
digest type explicitly is encouraged.
I've made a modification to Paste's auth_tkt auth module to allow
overriding of default MD5 digest:
Is the proposed change likely to be accepted?
I am CC'ing repoze-dev as repoze.who.plugins.auth_tkt could also
benefit from this change (is the change integration-ready?).
Repoze-dev mailing list