OpenStack Identity (keystone)

Bug #1668503
Comment #10

Comment 10 for bug 1668503

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2017-08-15: Re: [Bug 1668503] Re: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing

#10

** or to whichever hash is configured if not default.

On Aug 15, 2017 07:48, "Morgan Fainberg" <email address hidden> wrote:

> All new/updated/changes passwords (after upgrade) would be bcrypt hashed,
> old passwords remain sha512_crypt. An operator may want to force password
> changes.
>
> On Aug 15, 2017 00:11, "Luke Hinds" <email address hidden> wrote:
>
>> Couple of Q's...
>>
>> For the OSSN what would the 'recommended actions' be to update to Pike?
>>
>> Is it a seamless crossover going from sha512_crypt to bcrypt, scrypt, or
>> pbkdf2_sha512, or would passwords need to be regenerated (thinking in
>> this instance of an operator upgrading from a previous release to Pike)
>> ?
>>
>> ** Changed in: ossn
>> Assignee: (unassigned) => Luke Hinds (lhinds)
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> Matching subscriptions: Private security bugs
>> https://bugs.launchpad.net/bugs/1668503
>>
>> Title:
>> sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing
>>
>> Status in OpenStack Identity (keystone):
>> Fix Released
>> Status in OpenStack Identity (keystone) mitaka series:
>> Won't Fix
>> Status in OpenStack Identity (keystone) newton series:
>> Won't Fix
>> Status in OpenStack Identity (keystone) ocata series:
>> Won't Fix
>> Status in OpenStack Identity (keystone) pike series:
>> Fix Released
>> Status in OpenStack Security Advisory:
>> Won't Fix
>> Status in OpenStack Security Notes:
>> New
>>
>> Bug description:
>> Keystone uses sha512_crypt for password hashing. This is insufficient
>> and provides limited protection (even with 10,000 rounds) against
>> brute-forcing of the password hashes (especially with FPGAs and/or GPU
>> processing).
>>
>> The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512
>> instead of sha512_crypt.
>>
>> This bug is marked as public security as bug #1543048 has already
>> highlighted this issue.
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions
>>
>

** or to whichever hash is configured if not default.

On Aug 15, 2017 07:48, "Morgan Fainberg" <morgan.fainberg@gmail.com> wrote:

> All new/updated/changes passwords (after upgrade) would be bcrypt hashed,
> old passwords remain sha512_crypt. An operator may want to force password
> changes.
>
> On Aug 15, 2017 00:11, "Luke Hinds" <lhinds@redhat.com> wrote:
>
>> Couple of Q's...
>>
>> For the OSSN what would the 'recommended actions' be to update to Pike?
>>
>> Is it a seamless crossover going from sha512_crypt to bcrypt, scrypt, or
>> pbkdf2_sha512, or would passwords need to be regenerated (thinking in
>> this instance of an operator upgrading from a previous release to Pike)
>> ?
>>
>> ** Changed in: ossn
>>      Assignee: (unassigned) => Luke Hinds (lhinds)
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> Matching subscriptions: Private security bugs
>> https://bugs.launchpad.net/bugs/1668503
>>
>> Title:
>>   sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing
>>
>> Status in OpenStack Identity (keystone):
>>   Fix Released
>> Status in OpenStack Identity (keystone) mitaka series:
>>   Won't Fix
>> Status in OpenStack Identity (keystone) newton series:
>>   Won't Fix
>> Status in OpenStack Identity (keystone) ocata series:
>>   Won't Fix
>> Status in OpenStack Identity (keystone) pike series:
>>   Fix Released
>> Status in OpenStack Security Advisory:
>>   Won't Fix
>> Status in OpenStack Security Notes:
>>   New
>>
>> Bug description:
>>   Keystone uses sha512_crypt for password hashing. This is insufficient
>>   and provides limited protection (even with 10,000 rounds) against
>>   brute-forcing of the password hashes (especially with FPGAs and/or GPU
>>   processing).
>>
>>   The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512
>>   instead of sha512_crypt.
>>
>>   This bug is marked as public security as bug #1543048 has already
>>   highlighted this issue.
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions
>>
>