[Twisted-Python] PB and hashed passwords

Jp Calderone exarkun at divmod.com
Fri Apr 23 07:24:40 MDT 2004


Uwe C. Schroeder wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>Hi,
>
>just found something in pb (twisted version 1.2.0) that's a bit strange.
>I've written a credentials checker and set
>
>self.credentialInterfaces =3D (credentials.IUsernamePassword,)
>
>So far, so good.
>
  Mmm, no.  twisted.spread.pb.PBClientFactory.login() does not support =

arbitrary credentials objects.  It may in the future, but currently it =

only provides equivalent functionality to the previous, deprecated API.

> However the following error is thrown:
>
>No checker for twisted.cred.credentials.IUsernameHashedPassword, =

>twisted.cred.credentials.ICredentials, twisted.spread.pb.IUsernameMD5Passw=
ord
>
  Indeed, as IUsernamePassword is not IUsernameHashedPassword.

>I traced it back to pb._PortalAuthChallenger
>
>It only implements hashed and md5 passwords. Maybe I don't get it, but whe=
re =

>is the sense in sending a password in cleartext over the wire to then md5 =
it =

>on the "server" side ?
>  =

>
  PB does not send the password in cleartext over the wire and then MD5 =

it on the server!  That would be senseless :)

>I'd rather md5 it on the client side and send the hash to be compared agai=
nst =

>the password storage, which also stores a md5.
>  =

>
  The challenge/response mechanism PB uses is more secure than this, so =

I don't think you want to do it.

>I tried to do this by using plaintext passwords, since the routines then =

>simply compare without md5'ing it, but it doesn't seem to be possible to u=
se =

>plaintext with pb without changing something. Can I user-define a class to =

>jump in there ?
>  =

>
  Absolutely.  PBClientFactory.login() and the methods associated with =

it aren't special.  They're just convenient.  All they do is call a =

predefined sequence of remote methods in exactly the same way user code =

(your code) can call them.  If you want a different login sequence, just =

define and call the methods for it.  That said, I really doubt you =

actually want a different login sequence.

  Jp





More information about the Twisted-Python mailing list