[Twisted-Python] authentication problem
Jp Calderone
exarkun at divmod.com
Wed Jul 28 10:12:07 EDT 2004
Fr=E9d=E9ric Gobry wrote:
> [snip - correct looking client]
> =
There are a couple problems with your server.
> import os, sys
> =
> authfile =3D os.path.expanduser ('~/.garlic/auth')
> db =3D None
> port =3D 8081
> =
> from twisted.cred import portal, checkers, credentials
> from twisted.spread import pb
> from twisted.internet import reactor
> from twisted.web import static, server
> from twisted.cred import checkers, portal
> =
> from twisted.python import log
> log.startLogging (sys.stderr)
> =
> class Avatar (pb.Avatar):
> def __init__ (self, uid):
> self.id =3D uid
> return
> Anonymous =3D Avatar ('')
> =
> class User (Avatar):
> def __init__ (self, uid, db):
> self.id =3D uid
> self.db =3D db
> =
> class Realm:
> """A simple implementor of cred's IRealm."""
> __implements__ =3D portal.IRealm
> def __init__ (self, db):
> self.db =3D db
> =
> def requestAvatar (self, avatarId, mind, *interfaces):
> if User not in interfaces:
> raise NotImplementedError ("no supported interface")
You almost certainly wanted "pb.IPerspective" above, not "User".
> return (pb.IPerspective, User (avatarId, self.db), lambda : None)
> =
> def pw_hash (user, proposed, actual):
> parts =3D actual.split ('$', 3)
> salt =3D '$'.join (parts [:3])
> return crypt.crypt (proposed, salt)
> =
> check =3D checkers.FilePasswordDB (authfile, hash =3D pw_hash)
The exception given was that no checker was registered to handle =
IJellyable, IUsernameHashedPassword, IUsernameMD5Password, or =
ICredentials. This is accurate. When given an argument for hash, =
checkers.FilePasswordDB is a checker _only_ for IUsernamePassword. It =
cannot authenticate for a PB connection, which uses an MD5-hashed password.
> =
> remote_portal =3D portal.Portal (Realm (db))
> remote_portal.registerChecker (check)
> =
> from twisted.spread import pb
> reactor.listenTCP (port, pb.PBServerFactory (remote_portal))
> reactor.run ()
> =
A checker that will work with PB must be a checker for =
IUsernamePassword, which means storing unhashed passwords on your =
server. They can still be encrypted, if you like, but you must reverse =
the encryption before the credentials can be checked.
If storing hashed passwords is a requirement, you can write your own =
authentication mechanism on top of PB and ignore the built-in version. =
Unless you are somewhat familiar with the ins and outs of =
authentication, I recommend against.
Jp
More information about the Twisted-Python
mailing list