I was getting interested in how Pyramid's authentication works and looked
through the commonly used AuthTktAuthenticationPolicy code. I found out it
uses MD5 and the only thing keeping the cookie from being forged is the
secret.
I see two different issues here:
First, MD5 is already known to
On Sun, 2012-09-09 at 06:55 -0700, Florian Rüchel wrote:
I was getting interested in how Pyramid's authentication works and
looked through the commonly used AuthTktAuthenticationPolicy code. I
found out it uses MD5 and the only thing keeping the cookie from being
forged is the secret.
I see
On Sun, 2012-09-09 at 17:40 +0200, Domen Kožar wrote:
According
to
https://github.com/gavincarr/mod_auth_tkt/blob/master/conf/02_auth_tkt.conf
and
http://linux.die.net/man/3/mod_auth_tkt, mod_auth_tkt supports SHA256
and SHA512 since version 2.1
Relevant:
Florian: do you plan to provide a patch?
On Sun, Sep 9, 2012 at 5:45 PM, Chris McDonough chr...@plope.com wrote:
On Sun, 2012-09-09 at 17:40 +0200, Domen Kožar wrote:
According
to
https://github.com/gavincarr/mod_auth_tkt/blob/master/conf/02_auth_tkt.confand
I dislike md5 as much as the next guy, but auth_tkt uses a double hashing
scheme that is almost hmac. Hmac overcomes most of the problems of an
otherwise weak hash function. It isn't as bad as you might think.
The sha2 functions are a great replacement. Sha2 auth_tkt is what I would
use. Sha1 is
On Sunday, September 9, 2012 8:23:45 PM UTC+2, Domen Kožar wrote:
Florian: do you plan to provide a patch?
I am willing to provide a patch but I am new to pyramid and would
definitely need someone to double check which places need changing. For
example we need a dynamic split depending on
On Sun, 2012-09-09 at 12:25 -0700, Florian Rüchel wrote:
On Sunday, September 9, 2012 8:23:45 PM UTC+2, Domen Kožar wrote:
Florian: do you plan to provide a patch?
I am willing to provide a patch but I am new to pyramid and would
definitely need someone to double check which