[Twisted-Python] authentication problem

Jp Calderone exarkun at divmod.com
Wed Jul 28 10:12:07 EDT 2004


Fr=E9d=E9ric Gobry wrote:
> [snip - correct looking client]
> =


   There are a couple problems with your server.

> import os, sys
> =

> authfile =3D os.path.expanduser ('~/.garlic/auth')
> db =3D None
> port =3D 8081
> =

> from twisted.cred import portal, checkers, credentials
> from twisted.spread import pb
> from twisted.internet import reactor
> from twisted.web import static, server
> from twisted.cred import checkers, portal
> =

> from twisted.python import log
> log.startLogging (sys.stderr)
> =

> class Avatar (pb.Avatar):
>     def __init__ (self, uid):
>         self.id =3D uid
>         return
> Anonymous =3D Avatar ('')
> =

> class User (Avatar):
>     def __init__ (self, uid, db):
>         self.id =3D uid
>         self.db =3D db
> =

> class Realm:
>     """A simple implementor of cred's IRealm."""
>     __implements__ =3D portal.IRealm
>     def __init__ (self, db):
>         self.db =3D db
>     =

>     def requestAvatar (self, avatarId, mind, *interfaces):
>         if User not in interfaces:
>             raise NotImplementedError ("no supported interface")

   You almost certainly wanted "pb.IPerspective" above, not "User".

>         return (pb.IPerspective, User (avatarId, self.db), lambda : None)
> =

> def pw_hash (user, proposed, actual):
>     parts =3D actual.split ('$', 3)
>     salt =3D '$'.join (parts [:3])
>     return crypt.crypt (proposed, salt)
> =

> check =3D checkers.FilePasswordDB (authfile, hash =3D pw_hash)

   The exception given was that no checker was registered to handle =

IJellyable, IUsernameHashedPassword, IUsernameMD5Password, or =

ICredentials.  This is accurate.  When given an argument for hash, =

checkers.FilePasswordDB is a checker _only_ for IUsernamePassword.  It =

cannot authenticate for a PB connection, which uses an MD5-hashed password.

> =

> remote_portal =3D portal.Portal (Realm (db))
> remote_portal.registerChecker (check)
> =

> from twisted.spread import pb
> reactor.listenTCP (port, pb.PBServerFactory (remote_portal))
> reactor.run ()
> =


   A checker that will work with PB must be a checker for =

IUsernamePassword, which means storing unhashed passwords on your =

server.  They can still be encrypted, if you like, but you must reverse =

the encryption before the credentials can be checked.

   If storing hashed passwords is a requirement, you can write your own =

authentication mechanism on top of PB and ignore the built-in version. =

Unless you are somewhat familiar with the ins and outs of =

authentication, I recommend against.

   Jp




More information about the Twisted-Python mailing list