[Twisted-Python] Authentication with Perspective Broker and hashed password file
exarkun at divmod.com
Sat Feb 12 10:57:23 EST 2005
On Sat, 12 Feb 2005 10:34:10 +0200, Tommi Virtanen <tv at twistedmatrix.com> wrote:
>Dave Cook wrote:
> > Failure: twisted.cred.error.UnhandledCredentials: No checker for
> > twisted.spread.interfaces.IJellyable,
> > twisted.cred.credentials.IUsernameHashedPassword,
> > twisted.cred.credentials.ICredentials,
> > twisted.spread.pb.IUsernameMD5Password
> > However, if I use plaintext passwords, it works fine.
> > I'm working with the example in the book:
> > http://twistedmatrix.com/documents/current/howto/pb-cred#auto7
> > with the credential checker set to
> > import sha
> > myChecker = checkers.FilePasswordDB("my_hashed_passwd_file",
> > hash =
> > lambda u, p, h: sha.new(p).hexdigest())
> Locally hashing the password only works when the password is transferred
> over the wire in plaintext.
> PB uses a challenge-response authentication, which by it's nature
> requires you to store passwords in plaintext.
> You need a checker for IUsernameHashedPassword. FilePasswordDB is one,
> as long as you don't pass it the argument hash.
To extend what Tommi is saying, you could implement your own login
negotiation sequence for PB which does transfer a password over the
wire in plaintext, which would allow you to use locally hashed
passwords. This will only be usable with PB/SSL, of course (unless
you don't mind sharing your passwords with everyone else on the 'net).
PBClientFactory.login is provided primarily as a convenience, since
it covers most people's authentication requirements. It is implemented
in terms of other, "normal" PB method calls, so creating an alternate
login negotiation sequence is just a matter of calling different methods
with different arguments.
More information about the Twisted-Python