https://github.com/plone/plone.session/blob/master/plone/session/tktauth.py
Have you been able to use your patch with Apache's mod_auth_tkt?
On Sunday, September 23, 2012 12:03:43 PM UTC-4, Domen Kožar wrote:
Created pull request, changed the approach a bit:
Unfortunately I stopped using apache as web server back in 2006, could
someone else try that? Thanks!
On Mon, Sep 24, 2012 at 3:58 PM, Daniel Holth dho...@gmail.com wrote:
https://github.com/plone/plone.session/blob/master/plone/session/tktauth.py
Have you been able to use your patch with
How about a script that's part of the framework itself? We have pserve,
pcreate... how about
pkeygen [-w filename]
or
pyramid-keygen [-w filename]
I like this idea very much. I would like to either get this usage approved
or I would just build a simple function inside pyramid.
On Sun, 2012-09-23 at 05:54 -0700, Florian Rüchel wrote:
How about a script that's part of the framework itself? We
have pserve,
pcreate... how about
pkeygen [-w filename]
or
pyramid-keygen [-w filename]
Additionally you could provide help on how to generate such a secret (but
that's extra candy). I have looked through various parts of the
documentation and it is always set to something like 'seekrit' and similar,
but it is never mentioned how to make sure that this is secure.
fwiw,
For generating secrets it's important to discourage usage of random module,
but use something like:
secret = ''.join('%02x' % ord(x) for x in os.urandom(128))
On Fri, Sep 21, 2012 at 7:50 PM, Jonathan Vanasco jonat...@findmeon.comwrote:
Additionally you could provide help on how to
On Fri, Sep 21, 2012 at 1:54 PM, Domen Kožar do...@dev.si wrote:
For generating secrets it's important to discourage usage of random module,
but use something like:
secret = ''.join('%02x' % ord(x) for x in os.urandom(128))
Great wordpress site! Secrets transmitted in the clear without
On 09/21/2012 07:50 PM, Jonathan Vanasco wrote:
i think most of the application scaffolds will generate a secret - but
it might be useful feature to just have a secret-key generator on
the pylonsproject.org site and referenced in the docs.
How about a script that's part of the framework
Hi Domen,
I would agree with you if it would really complicate things much, but I
can't see why it would. All those cases are really simple to implement and
I don't see any security risks either as the configuration of the hash
algorithm is under full control of the application developer using
Hi Florian,
It's probably enough to support MD5, SHA256 and SHA512. Maybe just
do case insensitive comparison and default to MD5. I wouldn't complicate
too much, as long as we can get the benefit of being compatible with specs
and modern crypto.
my 2 cents, cheers Domen
On Mon, Sep 10, 2012
On Sun, 2012-09-09 at 06:55 -0700, Florian Rüchel wrote:
I was getting interested in how Pyramid's authentication works and
looked through the commonly used AuthTktAuthenticationPolicy code. I
found out it uses MD5 and the only thing keeping the cookie from being
forged is the secret.
I see
On Sun, 2012-09-09 at 17:40 +0200, Domen Kožar wrote:
According
to
https://github.com/gavincarr/mod_auth_tkt/blob/master/conf/02_auth_tkt.conf
and
http://linux.die.net/man/3/mod_auth_tkt, mod_auth_tkt supports SHA256
and SHA512 since version 2.1
Relevant:
Florian: do you plan to provide a patch?
On Sun, Sep 9, 2012 at 5:45 PM, Chris McDonough chr...@plope.com wrote:
On Sun, 2012-09-09 at 17:40 +0200, Domen Kožar wrote:
According
to
https://github.com/gavincarr/mod_auth_tkt/blob/master/conf/02_auth_tkt.confand
I dislike md5 as much as the next guy, but auth_tkt uses a double hashing
scheme that is almost hmac. Hmac overcomes most of the problems of an
otherwise weak hash function. It isn't as bad as you might think.
The sha2 functions are a great replacement. Sha2 auth_tkt is what I would
use. Sha1 is
On Sunday, September 9, 2012 8:23:45 PM UTC+2, Domen Kožar wrote:
Florian: do you plan to provide a patch?
I am willing to provide a patch but I am new to pyramid and would
definitely need someone to double check which places need changing. For
example we need a dynamic split depending on
On Sun, 2012-09-09 at 12:25 -0700, Florian Rüchel wrote:
On Sunday, September 9, 2012 8:23:45 PM UTC+2, Domen Kožar wrote:
Florian: do you plan to provide a patch?
I am willing to provide a patch but I am new to pyramid and would
definitely need someone to double check which
16 matches
Mail list logo
