Hello, currently, original mod_auth_tkt supports also SHA256 and SHA 512 [1], not just plain MD5. Quoting:
----v---- The default is MD5, which is faster, but has now been shown to be vulnerable to collision attacks. Such attacks are not directly applicable to mod_auth_tkt, which primarily relies on the security of the shared secret rather than the strength of the hashing scheme. More paranoid users will probably prefer to use one of the SHA digest types, however. The default is likely to change in a future version, so setting the digest type explicitly is encouraged. ----^---- I've made a modification to Paste's auth_tkt auth module to allow overriding of default MD5 digest: https://bitbucket.org/jnpkrn/paste/changeset/5499c61eb27f Is the proposed change likely to be accepted? I am CC'ing repoze-dev as repoze.who.plugins.auth_tkt could also benefit from this change (is the change integration-ready?). [1] http://linux.die.net/man/3/mod_auth_tkt Thanks, Jan _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
