[Twisted-Python] Authenticating with md5 hashed passwords

Ramiro Alba Queipo raq at cttc.upc.edu
Mon Feb 15 02:54:55 MST 2010 

Jean-Paul,

Thanks for your answers. Answers bellow. Also attachments of
client/server application tests.

On Fri, 2010-02-12 at 20:06 +0000, exarkun at twistedmatrix.com wrote:
> On 06:03 pm, raq at cttc.upc.edu wrote:
> >Hello everybody,
> >
> >I am trying to build a a client/server application using Perspective
> >Broker and wanting to authenticate against a PostgreSQL database.
> >Everything works fine if I user plain text passwords, but when trying 
> >to
> >hash then using md5 using
> 
> What do you mean when you say you're using plain text passwords? 
> Authentication involves multiple parties handling the password in 
> multiple ways, and the "plain text"-ness of the password changes from 
> step to step.

I mean that the the server authenticates the client using a NOT HASHED
password. In my case using a VARCHAR field in a PostgreSQL table

> >from hashlib import md5
> >md5Password = md5(password).hexdigest()
> >
> >then it does not authenticate (I use
> >credentials.checkMD5Password(password) at the checker class)
> >
> >Then after reading
> >
> >twisted/spread/pb.py
> >
> >I saw that everything is done in the functions:
> >
> >respond(challenge, password)
> >challenge()
> >
> >and the methods
> >
> >checkMD5Password(self, md5Password)
> >checkPassword(self, password)
> >
> >at the
> >
> >class _PortalAuthChallenger(Referenceable, _JellyableAvatarMixin)
> >
> >By changing digest() with hexdigest(), it works.
> >
> >The question is:
> >
> >I there some way to make it work without making changes at the 'pb.py'
> >module?
> >
> >Yes. I should use md5Password = md5(password).digest() to produce the
> >password, but then I cant authenticate with a 'pure-ftpd' daemon I need
> >to work with.
> >
> >Any alternatives?
> 
> You should register an IUsernameHashedPassword checker with the portal 
> you pass to PBServerFactory and use PBClientFactory.login.  See 
> pbbenchserver.py and pbbenchclient.py for examples of this.  Despite the 

Yes I did so. You can see the attached examples I am testing with

> fact that you're passing a UsernamePassword instance to 
> PBClientFactory.login, the plain text password is never sent over the 
> network.

Yes I Know. You do that at the 'respond(challenge, password)' in
'pb.py', do you?

> 
> Also, IUsernameMD5Password is about to be deprecated, along with the 
> checkMD5Password method of _PortalAuthChallenger.

So, how should I do it in order not to be using deprecated code? I would
like to know some details so that I can have a better understanding of
how authentication is working.


Jean-Paul:

To sum up. I would like to use md5 hashed password, so as the password
can not be read at the server, but as it is at a database table it is
not as terrible as if I where using a simple text file. Furthermore I am
having problems to use a python ftp client with ssl to connect to
'pure-ftpd' with TLS, and in this case, I am really sending password
clear-text over the wire even if using hashed passwords at the server.

Thanks again for your interest

Regards

> 
> Jean-Paul
> 
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
> 
-- 
Ramiro Alba

Centre Tecnològic de Tranferència de Calor
http://www.cttc.upc.edu


Escola Tècnica Superior d'Enginyeries
Industrial i Aeronàutica de Terrassa
Colom 11, E-08222, Terrassa, Barcelona, Spain
Tel: (+34) 93 739 86 46

-- 
Aquest missatge ha estat analitzat per MailScanner
a la cerca de virus i d'altres continguts perillosos,
i es considera que està net.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: client-test.py
Type: text/x-python
Size: 705 bytes
Desc: not available
URL: </pipermail/twisted-python/attachments/20100215/495633e9/attachment-0004.py>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rqueuesrv.py
Type: text/x-python
Size: 4217 bytes
Desc: not available
URL: </pipermail/twisted-python/attachments/20100215/495633e9/attachment-0005.py>

More information about the Twisted-Python mailing list