[Twisted-Python] Authenticating with md5 hashed passwords

exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Mon Feb 15 11:45:11 EST 2010


On 04:32 pm, raq at cttc.upc.edu wrote:
>Jean-Paul:
>
>On Mon, 2010-02-15 at 13:25 +0000, exarkun at twistedmatrix.com wrote:
>> >>What do you mean when you say you're using plain text passwords?
>> >>Authentication involves multiple parties handling the password in
>> >>multiple ways, and the "plain text"-ness of the password changes 
>>from
>> >>step to step.
>> >
>> >I mean that the the server authenticates the client using a NOT 
>>HASHED
>> >password. In my case using a VARCHAR field in a PostgreSQL table
>> >> >from hashlib import md5
>> >> >md5Password = md5(password).hexdigest()
>> >> >
>>
>>I'm confused here.  I don't see this code in your checker 
>>implementation
>>in the attached code.  Is this code running someplace else?
>
>No, of course you can not. This is only a little python script I use to
>produce I hashed password that I can put in the VARCHAR field of my
>PostgreSQL table. This way I can make 'pure-ftpd' authenticate using 
>md5
>hashed passwords, but for that reason I have to change pb.py code at
>twisted, swaping '.digest()' with '.hexdigest()'.
>That way it works but at the price of having to change original twisted
>code, which is not the option I want to support.

Ah, I see.  I didn't understand that you had MD5 hashed passwords stored 
in your database.

Fortunately, the .digest() and .hexdigest() outputs of an MD5 object are 
related in a simple way.  You can go from one to the other using 
str.encode('hex') or str.decode('hex').

So, if you have hex encoded MD5 digests in your database table, then you 
can convert them to the regular MD5 digests expected by PB with 
hex_digest_password.decode('hex') and pass the result of that to 
`checkMD5Password`.
>>
>>Indeed.  `checkMD5Password` needs to be passed the MD5 digest of the
>>password, not the hex encoded MD5 digest (despite being documented as
>>taking the plaintext password itself).
>
>Yes I can understand that. So if I could put ha md5 hashed password in
>the database but using digest() instead of hexdigest() I could make the
>server authenticate but using 'checkMD5Password()' method directly a 
>the
>checker, but as you have said this is going to be deprecated.

This discussion has led me to realize that checkMD5Password probably 
shouldn't be deprecated.  Instead the documentation should be fixed so 
that it's clear why it's useful.

So, assuming we don't deprecate it, and you use the decode('hex') 
approach above, does that let you do your authentication for both apps 
and let you avoid keeping a modified version of Twisted?
>> >So, how should I do it in order not to be using deprecated code? I
>> >would
>> >like to know some details so that I can have a better understanding 
>>of
>> >how authentication is working.
>>
>>If you have the plaintext password in the PB server, then you can just
>>call `checkPassword` instead of `checkMD5Password` in
>>DBCredentialsChecker._cbAuthenticate.
>
>Yes. This is working with plaintext password in the PB server, but not
>with md5 hashed passwords, right?

Right, which doesn't make sense for you, but I suggested this thinking 
that your database had plaintext passwords in it.

Jean-Paul



More information about the Twisted-Python mailing list