From 19b8207ff1e959669d296407ed112545364a495d Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Sun, 4 Nov 2012 11:19:41 -0600 Subject: merged SHA512AuthTktAuthenticationPolicy into AuthTktAuthenticationPolicy AuthTktAuthenticationPolicy now accepts a hashalg parameter and is no longer deprecated. Docs recommend overriding hashalg and using 'sha512'. --- CHANGES.txt | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 45fc19762..390d3c3e3 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -4,6 +4,10 @@ Next release Features -------- +- ``pyramid.authentication.AuthTktAuthenticationPolicy`` has been updated to + support newer hashing algorithms such as ``sha512``. Existing applications + should consider updating if possible. + - Added an ``effective_principals`` route and view predicate. - Do not allow the userid returned from the ``authenticated_userid`` or the @@ -43,24 +47,6 @@ Bug Fixes attribute of the request. It no longer fails in this case. See https://github.com/Pylons/pyramid/issues/700 -Deprecations ------------- - -- The ``pyramid.authentication.AuthTktAuthenticationPolicy`` authentication - policy is deprecated in Pyramid 1.4 due to its use of the MD5 hashing - algorithm, which has known hash collision vulnerabilities. The risk of an - exploit is low. However, for improved authentication security, use the - ``pyramid.authentication.SHA512AuthTktAuthenticationPolicy`` instead. - Cookies generated by the AuthTktAuthenticationPolicy are not compatible with - cookies generated by the SHA512AuthTktAuthenticationPolicy, however, so - switching to the latter will imply that all existing users with a valid - cookie will be required to re-login. The SHA-512 version is not compatible - with Apache's mod_auth_tkt either, so if you are relying on that - compatibility, you'll want to stick with the MD5 version. - - A deprecation warning is now emitted when the AuthTktAuthenticationPolicy is - imported. - Internals --------- -- cgit v1.2.3 From ca3df803c9afd04d7dee612e0bf321cc62cf900f Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Sun, 4 Nov 2012 12:34:22 -0600 Subject: emit a warning if a user is using the default hashalg to AuthTkt --- CHANGES.txt | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index b3733a787..43a910f96 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -48,6 +48,15 @@ Bug Fixes attribute of the request. It no longer fails in this case. See https://github.com/Pylons/pyramid/issues/700 +Deprecations +------------ + +- ``pyramid.authentication.AuthTktAuthenticationPolicy`` will emit a warning + if an application is using the policy without explicitly setting the + ``hashalg``. This is because the default is "md5" which is considered + insecure. If you really want "md5" then you must specify it explicitly to + get rid of the warning. + Internals --------- -- cgit v1.2.3