> Aidas Kasparas <[email protected]> : >On 2010.05.18 06:01, Mihamina Rakotomandimby wrote: >>> Sam Varshavchik <[email protected]> : >>>> - the POP or IMAP server crypt()'s the user entered password >>>> - the POP or IMAP server compares crypt()'d ones and gives his >>>> response >>> This is a correct description. >> >> I read that crypt() require a "salt". >> crypt() is called: >> encrypted_pass = crypt("a_salt", "the_clear_pass") >> >> If "a_salt" or "the_clear_pass" is different, the "encrypted_pass" >> will be different. >> >> Therefore, the salt used to initially encrypt the password must be >> the same that the one used to generate the user entered one. >> >> How to they use the same salt? >> > >The salt is present in the encrypted password: >- first two characters if traditional crypt(3) is used >- text between 2nd and 3rd $ if md5 or sha schemas are used > >So, if we have encrypted password with whom to compare, we take >required part of this crypted password, and use this part as a salt to >encrypt clear text password. >
Yeah, I read further and saw: http://php.net/manual/en/function.crypt.php The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used). [...] <?php $password = crypt('mypassword'); if (crypt($user_input, $password) == $password) { echo "Password verified!"; } ?> And also: http://docs.python.org/library/crypt.html crypt.crypt(word, salt) word will usually be a user’s password as typed at a prompt or in a graphical interface. salt is usually a random two-character string which will be used to perturb the DES algorithm in one of 4096 ways. The characters in salt must be in the set [./a-zA-Z0-9]. Returns the hashed password as a string, which will be composed of characters from the same alphabet as the salt (the first two characters represent the salt itself). Since a few crypt(3) extensions allow different values, with different sizes in the salt, it is recommended to use the full crypted password as salt when checking for a password. [...] def login(): username = raw_input('Python login:') cryptedpasswd = pwd.getpwnam(username)[1] if cryptedpasswd: if cryptedpasswd == 'x' or cryptedpasswd == '*': raise NotImplementedError( "Sorry, currently no support for shadow passwords") cleartext = getpass.getpass() return crypt.crypt(cleartext, cryptedpasswd) == cryptedpasswd else: return 1 I think it's OK for me, now. Thank you anyway. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 3456 000 19 ------------------------------------------------------------------------------ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
