Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631200 - <sys-auth/keystone-12.0.0: sha512_crypt for password hashing is insufficient
Summary: <sys-auth/keystone-12.0.0: sha512_crypt for password hashing is insufficient
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2017/q3/468
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-17 13:21 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-03-18 16:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-09-17 13:21:43 UTC 
From $URL:

sha512_crypt is insufficient for password hashing
-------------------------------------------------

### Summary ###

Use of sha512_crypt for password hashing in versions of Keystone prior
to Pike, is insufficient and provides limited protection against
brute-forcing of password hashes.

### Affected Services / Software ###
OpenStack Identity Service (Keystone). OpenStack Releases Ocata, Newton.

### Discussion ###

Keystone uses sha512_crypt for password hashing. This provides
insufficient and limited protection, since sha512_crypt algorithm has a
low computational cost factor, therefore making it easier to crack
passwords offline in a short period of time.

The correct mechanism is to use the more secure hashing algorithms with
a higher computational cost factor such as bcrypt, scrypt, or
pbkdf2_sha512 instead of sha512_crypt.

### Recommended Actions ###

It is recommended that operators upgrade to the Pike release where all
future passwords would be bcrypt hashed.

Operators should also force password changes on all users [1], which
will result in the users newly generated passwords being bcrypt hashed.

### Contacts / References ###
Author: Luke Hinds <lhinds () redhat com>
[1]:
https://docs.openstack.org/keystone/latest/admin/identity-security-compliance.html#force-users-to-change-password-upon-first-use
[2] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0081
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1668503
Mailing List : [Security] tag on openstack-dev () lists openstack org
OpenStack Security Project : https://launchpad.net/~openstack-ossg


@Maintainer(s): Please state when the package is ready for stabilization.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-09-17 18:04:13 UTC 
It's scheduled to go stable on the 30th.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-10-20 02:48:53 UTC 
please drop vulnerable versions
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-10-20 03:05:12 UTC 
That would mean dropping much more than just the older versions of keystone.

It'd mean dropping the older versions of cinder, glance, heat, neutron, nova, swift, possibly more.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-10-20 03:20:45 UTC 
(In reply to Matthew Thode ( prometheanfire ) from comment #3)
> That would mean dropping much more than just the older versions of keystone.
> 
> It'd mean dropping the older versions of cinder, glance, heat, neutron,
> nova, swift, possibly more.

Well a mask would cause the same pain I suppose. Oh, well.  Leave the vulnerable I guess.
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-18 16:06:05 UTC 
cleanup done.

GLSA Vote: No.

Thank you all