Re-hash sha512 hashed passwords with current hashing algorithm#42
Merged
stanislav-zaprudskiy merged 2 commits intostable/2025.1-m3from Dec 5, 2025
Merged
Conversation
stanislav-zaprudskiy
requested review from
JoJoPuppe,
bbobrov,
galkindmitrii,
rajivmucheli and
tz3
rajivmucheli
previously approved these changes
Dec 2, 2025
BerndKue
previously approved these changes
Dec 2, 2025
With Epoxy release the support for the sha512_crypt hash is dropped. This change adds a check of the password hash when the user authenticates. If the hash of the users password is deprecated then the password will be re-hashed using the default hasher and updated in the database. Change-Id: I4a16401b914c92fd7db9d626cb1642570b36d600 Signed-off-by: Adrian Jarvis <adrian.jarvis@catalystcloud.nz>
stanislav-zaprudskiy
dismissed stale reviews from BerndKue and rajivmucheli
via
766c1a6
stanislav-zaprudskiy
force-pushed
the
revert_sha512_crypt_removal
branch
from
ba22b9b to
766c1a6
Compare
stanislav-zaprudskiy
changed the title
rajivmucheli
approved these changes
Dec 4, 2025
sandzwerg
approved these changes
Dec 4, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SHA512 hashing was dropped from Keystone upstream in the following changes:
However, the last available implementation of SHA512 - https://review.opendev.org/c/openstack/keystone/+/930223/2/keystone/common/password_hashers/sha512_crypt.py - never worked and is not correct, which could be confirmed by executing the respective test. So it's not enough to just revert https://review.opendev.org/c/openstack/keystone/+/939778 - a proper implementation of the algorithm is needed.
For that reason, the PR brings back
passlib- to use its implementation of SHA512 hashing. However, it is worth noting thatpasslibwas dropped from the upstream as well, which we shall also do with the next Keystone upgrade, along with the respective cherry-picked https://review.opendev.org/c/openstack/keystone/+/959279 - which brings re-hashing functionality.With this PR In the meantime, until the next upgrade, the respective impacted users will get their password hash updated in database to the current hashing mechanism upon executing login/password authentication. There could be some users that won't log in until then, and thus won't get their hash updated - in which case it would be safe to assume that those users are no longer relevant (as they didn't log in within e.g. 6mo). Such users would have to be identified, reviewed and followed up as needed.
Upstream issue - https://bugs.launchpad.net/keystone/+bug/2133706.