openstack
/
security-doc
Code Issues Proposed changes

Obsolete check-identity-04 

The [token]/hash_algorithm config option has been deprecated since
mitaka[1].

To avoid renumbering, update check-identity-04 to '(Obsolete)'. This
keeps numbering compatibilty for people using previous version of the
checklist.

[1]: https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka

Change-Id: I587617f29141a244ca7983300ff4fcebed4255f5
This commit is contained in:
Jake Yip 2021-01-07 12:16:00 +11:00
parent b0e696774c
commit f493bb8c50
1 changed files with 1 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
security-guide/source/identity/checklist.rst
View File

@ -83,21 +83,9 @@ you should enable TLS on the HTTP/WSGI server.
Recommended in: :doc:`../secure-communication`.
Check-Identity-04: Does Identity use strong hashing algorithms for PKI tokens?
Check-Identity-04: (Obsolete)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MD5 is a weak and depreciated hashing algorithm. It can be cracked using
brute force attack. Identity tokens are sensitive and need to be
protected with a stronger hashing algorithm to prevent unauthorized
disclosure and subsequent access.
**Pass:** If value of parameter ``hash_algorithm`` under ``[token]``
section in ``/etc/keystone/keystone.conf`` is set to SHA256.
**Fail:** If value of parameter ``hash_algorithm`` under
``[token]``\ section is set to MD5.
Recommended in: :doc:`tokens`.
Check-Identity-05: Is ``max_request_body_size`` set to default (114688)?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~