[Twisted-Python] PB and hashed passwords
exarkun at divmod.com
Fri Apr 23 09:24:40 EDT 2004
Uwe C. Schroeder wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>just found something in pb (twisted version 1.2.0) that's a bit strange.
>I've written a credentials checker and set
>self.credentialInterfaces =3D (credentials.IUsernamePassword,)
>So far, so good.
Mmm, no. twisted.spread.pb.PBClientFactory.login() does not support =
arbitrary credentials objects. It may in the future, but currently it =
only provides equivalent functionality to the previous, deprecated API.
> However the following error is thrown:
>No checker for twisted.cred.credentials.IUsernameHashedPassword, =
Indeed, as IUsernamePassword is not IUsernameHashedPassword.
>I traced it back to pb._PortalAuthChallenger
>It only implements hashed and md5 passwords. Maybe I don't get it, but whe=
>is the sense in sending a password in cleartext over the wire to then md5 =
>on the "server" side ?
PB does not send the password in cleartext over the wire and then MD5 =
it on the server! That would be senseless :)
>I'd rather md5 it on the client side and send the hash to be compared agai=
>the password storage, which also stores a md5.
The challenge/response mechanism PB uses is more secure than this, so =
I don't think you want to do it.
>I tried to do this by using plaintext passwords, since the routines then =
>simply compare without md5'ing it, but it doesn't seem to be possible to u=
>plaintext with pb without changing something. Can I user-define a class to =
>jump in there ?
Absolutely. PBClientFactory.login() and the methods associated with =
it aren't special. They're just convenient. All they do is call a =
predefined sequence of remote methods in exactly the same way user code =
(your code) can call them. If you want a different login sequence, just =
define and call the methods for it. That said, I really doubt you =
actually want a different login sequence.
More information about the Twisted-Python