New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove MD5 digest from everywhere and default to SHA256 #31162
Conversation
@@ -631,7 +631,7 @@ def deploy_war(war, | |||
|
|||
def passwd(passwd, | |||
user='', | |||
alg='md5', | |||
alg='sha1', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wait, not sha256?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was not sure if this is OK for Tomcat, since this module replaces that there. SHA1 OK but others I didn't looked up if this is compatible.
While I completely agree with this it should not go in a point release, this needs to be rebased on develop. Also, the primary use of md5 in salt is for file integrity and caches, and not for cryptographic means. The key fingerprints are just that, fingerprints. This also begs the question, should we split out the hash usage for file integrity tasks to use crc and just bump the cryptographic hashes up to sha256? Also, should we go ahead and build in support for alternative hashes like blake? |
The main upgrade worry here is that all of the cache data for files, git backend etc will be invalidated, and we need to see if salt will just handle it, or if it will require a flush of the cache, and if it requires a cache flush we need to figure out how to make that automatic. |
Keep in mind that it would need to be a controlled wipe |
Personally, I would prefer not to switch this out from underneath people. There are people who use Salt's cache from external systems and forcing a full cache wipe on an upgrade (or even on a config change) strikes me as too aggressive. My preference here would be to warn people that they should change the hash type in their config for at least a few releases before we even consider a hard-switch like this. |
The main problem here is that the fingerprints for the key exchange is using MD5 and in our eyes this is a "no go" and we can't ship that. Hence I've changed this to be at all configurable, since the fingerprint function although had default to MD5, nothing was passing anything else from the Also since we operate at 2015.8 at the moment, we would like to have this there (too), while @cachedout told me earlier that you, guys, doing "upward" rebase on your own, so it is enough to just commit to the lowest supported? @cachedout maybe it would help to leave MD5 by default in the configs and Does it makes sense? |
@isbm, I completely agree and understand. and @cachedout and myself have discussed how to best handle this. |
@thatch45 @cachedout sorry being late here (we were busy on other PRs here). So what I understand is:
Question: Where/how to add that deprecation warning other than just write some commented out block in the config files of |
We want the deprecation warning to show up in the logs each time the master/minion starts. So we would add a check to see if the config value is set to anything lower than sha256 at the end of the config loading process in salt/config/init.py. Then use Salt's deprecation system to flag it. |
Hi @isbm Just checking in to see how we're coming along with this one. Let me know if there's anything we can do. Thanks! |
@thatch45 Yes, I will likely tackle it either tomorrow (Friday, CET) or Monday. One step at a time. 😉 |
No hurry. Just checking in. Thanks, @isbm |
5a4f5fa
to
0c121b1
Compare
@cachedout @thatch45 Here is an attempt to speak the same things across the daemons for hashes, hence the mixin for all of them. The |
Added a Unit test, that verifies if a nag-message is shown in the logs in case |
This looks great @isbm ! Thanks for the work, and for begin understanding as we try to ease into things and be careful on all fronts! |
@isbm There's a small lint error. Would you mind cleaning that up? Thanks for your work here! (The other test failure is not related.) |
@rallytime Oops, overlooked. Done! |
@thatch45 Thanks! I will "up-port" that to the |
@isbm Is this now ready for review from your perspective? |
@cachedout sure. I am now working on |
@isbm This has merge conflicts. Could you please rebase it and then I'll take a look and see if we can get this in? Thanks. |
@cachedout Done. |
Remove MD5 digest from everywhere and default to SHA256
Updates hash_type default to sha256 instead of md5 for new instances installed via salt-cloud. Fixes saltstack#32246 Refs saltstack#31162
This removes obsolete MD5 digest that was by default everywhere. The new MD5 is SHA256. This is why.