OpenStack Identity (keystone)

TOTP with 'short' shared secrets not supported

Bug #2060452 reported by Michel Nederlof on 2024-04-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	New	Undecided	Unassigned

Bug Description

We are migrating our users from an older backend to keystone and want to keep the current 2FA tokens for the end-users to make is as seamless as possible.

Historically it was common practice to generate TOTP secrets of 16 chars [1] and users still use them.

One issue we are facing is that keystone (implicitly) does not accept the 2FA TOTP secrets our older user base currently has, as the keysize is not long enough for the default settings of cryptography.

We can just pass enforce_key_length=False[2] along when initializing the crypography totp class [3], and that would solve this issue, so maybe it would be a possibility to allow an operator to 'enable' this flag though a new config option for the TOTP auth plugin?

[1] https://github.com/pyca/cryptography/issues/2915
[2] https://cryptography.io/en/latest/hazmat/primitives/twofactor/#cryptography.hazmat.primitives.twofactor.hotp.HOTP
[3] https://github.com/openstack/keystone/blob/master/keystone/auth/plugins/totp.py#L74

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-04-08: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/915258

Changed in keystone:
status:	New → In Progress

Michel Nederlof (mnederlof) on 2024-04-30

Changed in keystone:
status:	In Progress → New

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.