On 02/03/12 14:48 +0100, Jan Pokorný wrote:

currently, original mod_auth_tkt supports also SHA256 and SHA 512 [1],
not just plain MD5.  Quoting:

The default is MD5, which is faster, but has now been shown to be
vulnerable to collision attacks. Such attacks are not directly
applicable to mod_auth_tkt, which primarily relies on the security
of the shared secret rather than the strength of the hashing scheme.
More paranoid users will probably prefer to use one of the SHA digest
types, however.

The default is likely to change in a future version, so setting the
digest type explicitly is encouraged.

I've made a modification to Paste's auth_tkt auth module to allow
overriding of default MD5 digest:


Update (based Ian's comments):
The algorithm can also be specified as a string referring to the
algorithm known to hashlib (otherwise AttributeError will be raised).

The new version:
https://bitbucket.org/jnpkrn/paste/changeset/69404df8a13d (branch v2)

Any more comments or is it ready for pull request?

I am CC'ing repoze-dev as repoze.who.plugins.auth_tkt could also
benefit from this change (is the change integration-ready?).

[1] http://linux.die.net/man/3/mod_auth_tkt

Repoze-dev mailing list

Reply via email to