[Twisted-Python] Plain text password with PB authentication?
exarkun at intarweb.us
Fri Aug 29 23:47:17 EDT 2003
On Fri, Aug 29, 2003 at 04:02:38PM -0600, Boersma, Matt wrote:
> First, thanks to Itamar for nudging me in the right direction. I never
> thought of looking at the unit tests for documentation, but so far that's
> the clearest explanation of the new PBServerFactory stuff I've seen.
> Here's my problem. I have a PB client that calls login against the
> server, with a UsernamePassword object as credentials. PB sets up for me
> nice default implementations of the authentication mechanisms, but refuses
> to send the actual password to the server, only a doubly MD5-hashed
> version of same.
> No! Stop your flames! Trading only hashes across the wire makes perfect
> sense--in most cases. I fully understand, and I've written nearly
> identical Java code recently to do the same.
No need to flame. Authenticating against plaintext passwords is fine --
as long as your transport is secure.
Make sure your server uses listenSSL() and your client uses connectSSL().
> But...in this case I want simply to delegate the actual authentication on
> the server side to an Oracle login. That is, if I can get a
> SQLConnectionPool with the given username and password and execute a test
> query, then the user is considered authenticated. This requires that the
> server have the actual password, not its hash. (Oracle doesn't appear to
> support anything besides clear text login, at least through the cx_Oracle
> and DCOracle2 APIs.)
Disappointed. Maybe some of the enterprise fell out of the box during
> So my options are:
> - Create subclasses of PBClientFactory, CredentialsChecker, perhaps
> others, purely to undo the strict md5-hashing behavior of PB instead
> supply the clear text password.
You only need to subclass PBClientFactory and PBServerFactory, nothing
Override PBServerFactory.buildProtocol() and set a different root object,
one that implements remote_login() that takes both the plaintext username
and password as arguments and returns the avatar right away (or a deferred
that is called back with the avatar eventually).
Then override PBClientFactory.login() to send both the username and
password to the server's login() method.
> - Leave the existing authentication as-is and create a dummy
> CredentialsChecker that always allows login. Then do the "real"
> authentication in a secondary method the client is required to call.
Don't do this.
> Which of these two ugly approaches is more Twisted?
The former approach isn't ugly at all. The latter is pretty hackish.
Once again, for emphasis: don't do this unless your transport is secure.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://twistedmatrix.com/pipermail/twisted-python/attachments/20030829/b96f8ba4/attachment.pgp
More information about the Twisted-Python