[Twisted-Python] Authenticating with md5 hashed passwords
Ramiro Alba Queipo
raq at cttc.upc.edu
Mon Feb 15 02:54:55 MST 2010
Jean-Paul,
Thanks for your answers. Answers bellow. Also attachments of
client/server application tests.
On Fri, 2010-02-12 at 20:06 +0000, exarkun at twistedmatrix.com wrote:
> On 06:03 pm, raq at cttc.upc.edu wrote:
> >Hello everybody,
> >
> >I am trying to build a a client/server application using Perspective
> >Broker and wanting to authenticate against a PostgreSQL database.
> >Everything works fine if I user plain text passwords, but when trying
> >to
> >hash then using md5 using
>
> What do you mean when you say you're using plain text passwords?
> Authentication involves multiple parties handling the password in
> multiple ways, and the "plain text"-ness of the password changes from
> step to step.
I mean that the the server authenticates the client using a NOT HASHED
password. In my case using a VARCHAR field in a PostgreSQL table
> >from hashlib import md5
> >md5Password = md5(password).hexdigest()
> >
> >then it does not authenticate (I use
> >credentials.checkMD5Password(password) at the checker class)
> >
> >Then after reading
> >
> >twisted/spread/pb.py
> >
> >I saw that everything is done in the functions:
> >
> >respond(challenge, password)
> >challenge()
> >
> >and the methods
> >
> >checkMD5Password(self, md5Password)
> >checkPassword(self, password)
> >
> >at the
> >
> >class _PortalAuthChallenger(Referenceable, _JellyableAvatarMixin)
> >
> >By changing digest() with hexdigest(), it works.
> >
> >The question is:
> >
> >I there some way to make it work without making changes at the 'pb.py'
> >module?
> >
> >Yes. I should use md5Password = md5(password).digest() to produce the
> >password, but then I cant authenticate with a 'pure-ftpd' daemon I need
> >to work with.
> >
> >Any alternatives?
>
> You should register an IUsernameHashedPassword checker with the portal
> you pass to PBServerFactory and use PBClientFactory.login. See
> pbbenchserver.py and pbbenchclient.py for examples of this. Despite the
Yes I did so. You can see the attached examples I am testing with
> fact that you're passing a UsernamePassword instance to
> PBClientFactory.login, the plain text password is never sent over the
> network.
Yes I Know. You do that at the 'respond(challenge, password)' in
'pb.py', do you?
>
> Also, IUsernameMD5Password is about to be deprecated, along with the
> checkMD5Password method of _PortalAuthChallenger.
So, how should I do it in order not to be using deprecated code? I would
like to know some details so that I can have a better understanding of
how authentication is working.
Jean-Paul:
To sum up. I would like to use md5 hashed password, so as the password
can not be read at the server, but as it is at a database table it is
not as terrible as if I where using a simple text file. Furthermore I am
having problems to use a python ftp client with ssl to connect to
'pure-ftpd' with TLS, and in this case, I am really sending password
clear-text over the wire even if using hashed passwords at the server.
Thanks again for your interest
Regards
>
> Jean-Paul
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
--
Ramiro Alba
Centre Tecnològic de Tranferència de Calor
http://www.cttc.upc.edu
Escola Tècnica Superior d'Enginyeries
Industrial i Aeronàutica de Terrassa
Colom 11, E-08222, Terrassa, Barcelona, Spain
Tel: (+34) 93 739 86 46
--
Aquest missatge ha estat analitzat per MailScanner
a la cerca de virus i d'altres continguts perillosos,
i es considera que està net.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: client-test.py
Type: text/x-python
Size: 705 bytes
Desc: not available
URL: </pipermail/twisted-python/attachments/20100215/495633e9/attachment-0004.py>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rqueuesrv.py
Type: text/x-python
Size: 4217 bytes
Desc: not available
URL: </pipermail/twisted-python/attachments/20100215/495633e9/attachment-0005.py>
More information about the Twisted-Python
mailing list