OpenStack Identity (keystone)

max_password_length config and logs inconsistent

Bug #2061922 reported by Sam Morrison on 2024-04-16

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Confirmed	Medium	David Wilde

Bug Description

We recently rolled out a config change to update the max_password_length to avoid all the log messages. We set this to 54 as mentioned in the release notes which we discovered was a BIG mistake as this broke everyone authenticating using existing application credentials.

There is a bit of confusion as to what to do here and the code and the release notes are inconsistent.

Upgrading to zed we got a lot of these in the logs [1]:

"Truncating password to algorithm specific maximum length 72 characters."

In the config help [2] for "max_password_length" it says:

"The bcrypt max_password_length is 72 bytes."

In the release notes [3] it say:

"Currently only bcrypt has fixed allowed lengths defined which is 54 characters."

[1] https://github.com/openstack/keystone/blob/9b0b414e3eb915c89c9786abeb1307ba734f5901/keystone/common/password_hashing.py#L89
[2] https://github.com/openstack/keystone/blob/9b0b414e3eb915c89c9786abeb1307ba734f5901/keystone/conf/identity.py#L106
[3] https://docs.openstack.org/releasenotes/keystone/zed.html

See original description

Sam Morrison (sorrison) on 2024-04-17

description:

updated

David Wilde (dave-wilde) on 2024-04-17

Changed in keystone:
status:	New → Confirmed
importance:	Undecided → Low
assignee:	nobody → David Wilde (dave-wilde)
importance:	Low → Medium

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.