← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2028809] Re: Upgrades from Zed to Antelope may fail due to the password truncation

 

** Changed in: openstack-ansible
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2028809

Title:
  Upgrades from Zed to Antelope may fail due to the password truncation

Status in OpenStack Identity (keystone):
  Fix Released
Status in openstack-ansible:
  Fix Released

Bug description:
  Since 2023.1, keystone truncates bcrypt passwords to 54 characters[1]
  while OSA generates passwords for openstack services with length
  between 16 and 64 characters[2].

  It may cause issues with keystone authentication after upgrade because
  we recently disabled password updates by default.[3]

  Example scenario:
  1. User1 was created during Zed release with password containing 64 characters.
  2. Password was hashed using all 64 characters(In [4] it is only mentioned that bytes 55-72 are not fully mixed into the resulting hash, but it means they are still used to some extent).
  3. Openstack is upgraded to 2023.1(where keystone truncates passwords to 54 chars when hashing).
  4. User1 cannot authenticate to keystone because hash was originally created using 64 characters but now only 54 characters are used.

  
  As a solution I recommend:
  - Enable ``service_update_password`` during upgrade process to rehash service passwords again(and keep information about it in major upgrades guide until 2024.1).
    Please note that it will only fix passwords managed by openstack-ansible. User passwords containing more than 54 characters will stop working.
    Enabling ``service_update_password`` may also prolong API downtime due to the bug #2023370[5].
  - Edit pw-token-gen.py script to generate passwords with length up to 54 characters.

  I do not suggest switching to scrypt because:
  - We cannot rehash bcrypt passwords anyway
  - Bcrypt is still default password_hash_algorithm in keystone

  
  [1] https://review.opendev.org/c/openstack/keystone/+/828595
  [2] https://opendev.org/openstack/openstack-ansible/src/commit/d1e30257ae0c818780684fe77e1b34ba4dd0dc40/scripts/pw-token-gen.py#L85
  [3] https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/888152
  [4] https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues
  [5] https://bugs.launchpad.net/openstack-ansible/+bug/2023370

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2028809/+subscriptions