OpenStack Identity (keystone)

  1. Bug #1668503
  2. Activity log

Activity log for bug #1668503

Date Who What changed Old value New value Message
2017-02-28 05:23:47 Morgan Fainberg bug added bug
2017-02-28 05:24:07 Morgan Fainberg bug task added ossa
2017-02-28 05:24:14 Morgan Fainberg ossa: status New Incomplete
2017-02-28 05:46:36 OpenStack Infra keystone: status Triaged In Progress
2017-02-28 05:46:45 Morgan Fainberg keystone: importance Critical High
2017-02-28 05:47:54 Morgan Fainberg nominated for series keystone/mitaka
2017-02-28 05:47:54 Morgan Fainberg bug task added keystone/mitaka
2017-02-28 05:47:54 Morgan Fainberg nominated for series keystone/pike
2017-02-28 05:47:54 Morgan Fainberg bug task added keystone/pike
2017-02-28 05:47:54 Morgan Fainberg nominated for series keystone/newton
2017-02-28 05:47:54 Morgan Fainberg bug task added keystone/newton
2017-02-28 05:47:54 Morgan Fainberg nominated for series keystone/ocata
2017-02-28 05:47:54 Morgan Fainberg bug task added keystone/ocata
2017-02-28 05:48:25 Morgan Fainberg description Keystone uses sha512_crypt for password hashing. This is completely insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. Keystone uses sha512_crypt for password hashing. This is insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue.
2017-02-28 14:02:03 Jeremy Stanley summary sha512_crypt is insufficient, use pdkfd_sha512 for password hashing sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing
2017-02-28 14:02:57 Jeremy Stanley description Keystone uses sha512_crypt for password hashing. This is insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. Keystone uses sha512_crypt for password hashing. This is insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue.
2017-02-28 23:03:09 Morgan Fainberg keystone/ocata: status New Won't Fix
2017-02-28 23:03:16 Morgan Fainberg keystone/mitaka: status New Won't Fix
2017-02-28 23:03:22 Morgan Fainberg keystone/newton: status New Won't Fix
2017-05-19 00:38:38 OpenStack Infra keystone: assignee Morgan Fainberg (mdrnstm) Gage Hugo (gagehugo)
2017-05-19 14:25:21 Lance Bragstad keystone/pike: assignee Gage Hugo (gagehugo)
2017-05-19 14:25:33 Lance Bragstad keystone/pike: assignee Morgan Fainberg (mdrnstm)
2017-06-02 12:20:45 OpenStack Infra keystone: status In Progress Fix Released
2017-06-09 19:43:47 Lance Bragstad keystone/pike: milestone pike-2
2017-08-15 04:02:50 Tristan Cacqueray bug task added ossn
2017-08-15 04:03:00 Tristan Cacqueray ossa: status Incomplete Won't Fix
2017-08-15 06:57:58 Luke Hinds ossn: assignee Luke Hinds (lhinds)
2017-08-30 14:25:20 Luke Hinds ossn: status New In Progress
2017-08-30 14:25:29 Luke Hinds ossn: importance Undecided High
2017-08-30 14:51:14 Luke Hinds ossn: status In Progress Fix Committed
2017-09-17 11:28:26 Luke Hinds ossn: status Fix Committed Fix Released