[Twisted-Python] Authenticating with md5 hashed passwords

Ramiro Alba Queipo raq at cttc.upc.edu
Mon Feb 15 11:32:10 EST 2010


Jean-Paul:

On Mon, 2010-02-15 at 13:25 +0000, exarkun at twistedmatrix.com wrote:
> >>What do you mean when you say you're using plain text passwords?
> >>Authentication involves multiple parties handling the password in
> >>multiple ways, and the "plain text"-ness of the password changes from
> >>step to step.
> >
> >I mean that the the server authenticates the client using a NOT HASHED
> >password. In my case using a VARCHAR field in a PostgreSQL table
> >> >from hashlib import md5
> >> >md5Password = md5(password).hexdigest()
> >> >
> 
> I'm confused here.  I don't see this code in your checker implementation 
> in the attached code.  Is this code running someplace else?

No, of course you can not. This is only a little python script I use to
produce I hashed password that I can put in the VARCHAR field of my
PostgreSQL table. This way I can make 'pure-ftpd' authenticate using md5
hashed passwords, but for that reason I have to change pb.py code at
twisted, swaping '.digest()' with '.hexdigest()'.
That way it works but at the price of having to change original twisted
code, which is not the option I want to support.

> >> >then it does not authenticate (I use
> >> >credentials.checkMD5Password(password) at the checker class)
> >> >
> >> >Then after reading
> >> >
> >> >twisted/spread/pb.py
> >> >
> >> >I saw that everything is done in the functions:
> >> >
> >> >respond(challenge, password)
> >> >challenge()
> >> >
> >> >and the methods
> >> >
> >> >checkMD5Password(self, md5Password)
> >> >checkPassword(self, password)
> >> >
> >> >at the
> >> >
> >> >class _PortalAuthChallenger(Referenceable, _JellyableAvatarMixin)
> >> >
> >> >By changing digest() with hexdigest(), it works.
> 
> Indeed.  `checkMD5Password` needs to be passed the MD5 digest of the 
> password, not the hex encoded MD5 digest (despite being documented as 
> taking the plaintext password itself).

Yes I can understand that. So if I could put ha md5 hashed password in
the database but using digest() instead of hexdigest() I could make the
server authenticate but using 'checkMD5Password()' method directly a the
checker, but as you have said this is going to be deprecated.

> >
> >Yes I Know. You do that at the 'respond(challenge, password)' in
> >'pb.py', do you?
> >>
> >>Also, IUsernameMD5Password is about to be deprecated, along with the
> >>checkMD5Password method of _PortalAuthChallenger.
> >
> >So, how should I do it in order not to be using deprecated code? I 
> >would
> >like to know some details so that I can have a better understanding of
> >how authentication is working.
> 
> If you have the plaintext password in the PB server, then you can just 
> call `checkPassword` instead of `checkMD5Password` in 
> DBCredentialsChecker._cbAuthenticate.

Yes. This is working with plaintext password in the PB server, but not
with md5 hashed passwords, right?

Regards

-- 
Ramiro Alba

Centre Tecnològic de Tranferència de Calor
http://www.cttc.upc.edu


Escola Tècnica Superior d'Enginyeries
Industrial i Aeronàutica de Terrassa
Colom 11, E-08222, Terrassa, Barcelona, Spain
Tel: (+34) 93 739 86 46


-- 
Aquest missatge ha estat analitzat per MailScanner
a la cerca de virus i d'altres continguts perillosos,
i es considera que està net.




More information about the Twisted-Python mailing list