OpenStack Identity (keystone)

Keystone should support pre-hashed passwords

Bug #1400443 reported by Tyler North on 2014-12-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Expired	Wishlist	Unassigned
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

Passwords should be allowed to be pre-hashed upon user creation for better security.

A user may want to store passwords in a script file, and it is much safer for these to be hashed beforehand so that the password is not in plaintext.

This was implemented in keystone at one point
https://git.openstack.org/cgit/openstack/keystone/commit/?id=e492bbc68ef41b276a0a18c6dbeda242d46b66f4

Tags:

Revision history for this message

Tyler North (ty-north) wrote on 2014-12-08:

https://review.openstack.org/#/c/140104/

information type:

Private Security → Public Security

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2014-12-08:

Is this request specific to the LDAP backend or in general? The referenced change was that keystone was hashing the passwords and then submitting the hash to LDAP. This doesn't work very well for a number of reasons (one of which is that we're not guaranteed that the hashing algorithm is supported on the LDAP server, it is better to let LDAP hash the password[s]).

In general, the answer is that Keystone should not be hashing the password and asking ldap to blindly store it. Some LDAP implementations won't allow this.

Changed in keystone:
status:	New → Incomplete

Revision history for this message

Jeremy Stanley (fungi) wrote on 2014-12-09:

This is pretty clearly a security hardening request and not a security vulnerability report, so i've adjusted its classification accordingly.

tags:	added: security
information type:	Public Security → Public
Changed in ossa:
status:	New → Won't Fix

Dolph Mathews (dolph) on 2014-12-09

Changed in keystone:
importance:	Undecided → Wishlist

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-02-08:

[Expired for Keystone because there has been no activity for 60 days.]

Changed in keystone:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.