-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/05/2012 03:24 PM, Jan Pokorný wrote: > On 02/03/12 14:48 +0100, Jan Pokorný wrote: >> Hello, >> >> currently, original mod_auth_tkt supports also SHA256 and SHA 512 >> [1], not just plain MD5. Quoting: >> >> ----v---- The default is MD5, which is faster, but has now been >> shown to be vulnerable to collision attacks. Such attacks are not >> directly applicable to mod_auth_tkt, which primarily relies on the >> security of the shared secret rather than the strength of the >> hashing scheme. More paranoid users will probably prefer to use one >> of the SHA digest types, however. >> >> The default is likely to change in a future version, so setting the >> digest type explicitly is encouraged. ----^---- >> >> I've made a modification to Paste's auth_tkt auth module to allow >> overriding of default MD5 digest: >> >> https://bitbucket.org/jnpkrn/paste/changeset/5499c61eb27f >> > > Update (based Ian's comments): The algorithm can also be specified as > a string referring to the algorithm known to hashlib (otherwise > AttributeError will be raised). > > The new version: > https://bitbucket.org/jnpkrn/paste/changeset/69404df8a13d (branch v2) > > Any more comments or is it ready for pull request? > >> I am CC'ing repoze-dev as repoze.who.plugins.auth_tkt could also >> benefit from this change (is the change integration-ready?).
Assuming a new release of paste becomes available supporting this feature, I have no problem extending the r.who plugin to expose it. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9VJyIACgkQ+gerLs4ltQ4FugCePlj2dDmCpWWnu5DU3EseSu2Y 2lsAoKSjpZAntc56fOMd/wvcG/oj7ol6 =PyRv -----END PGP SIGNATURE----- _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev