Upgrades from Zed to Antelope may fail due to the password truncation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
David Wilde | ||
OpenStack-Ansible |
Fix Released
|
High
|
Damian Dąbrowski |
Bug Description
Since 2023.1, keystone truncates bcrypt passwords to 54 characters[1] while OSA generates passwords for openstack services with length between 16 and 64 characters[2].
It may cause issues with keystone authentication after upgrade because we recently disabled password updates by default.[3]
Example scenario:
1. User1 was created during Zed release with password containing 64 characters.
2. Password was hashed using all 64 characters(In [4] it is only mentioned that bytes 55-72 are not fully mixed into the resulting hash, but it means they are still used to some extent).
3. Openstack is upgraded to 2023.1(where keystone truncates passwords to 54 chars when hashing).
4. User1 cannot authenticate to keystone because hash was originally created using 64 characters but now only 54 characters are used.
As a solution I recommend:
- Enable ``service_
Please note that it will only fix passwords managed by openstack-ansible. User passwords containing more than 54 characters will stop working.
Enabling ``service_
- Edit pw-token-gen.py script to generate passwords with length up to 54 characters.
I do not suggest switching to scrypt because:
- We cannot rehash bcrypt passwords anyway
- Bcrypt is still default password_
[1] https:/
[2] https:/
[3] https:/
[4] https:/
[5] https:/
Changed in openstack-ansible: | |
assignee: | nobody → Damian Dąbrowski (damiandabrowski) |
Changed in keystone: | |
assignee: | nobody → David Wilde (dave-wilde) |
Changed in keystone: | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in openstack-ansible: | |
status: | Triaged → In Progress |
Changed in openstack-ansible: | |
status: | In Progress → Fix Released |
FYI, I proposed patches including a suggested fix(I don't know why they are not listed above):
https:/ /review. opendev. org/c/openstack /openstack- ansible/ +/889781 /review. opendev. org/c/openstack /openstack- ansible/ +/889801
https:/