Re: [Django] #11912: check_password() and "crypt()" passwords

Sun, 20 Sep 2009 15:35:15 -0700 

#11912: check_password() and "crypt()" passwords
-------------------------------------+--------------------------------------
          Reporter:  nahuel          |         Owner:  nobody
            Status:  closed          |     Milestone:        
         Component:  Authentication  |       Version:  1.1   
        Resolution:  invalid         |      Keywords:        
             Stage:  Unreviewed      |     Has_patch:  0     
        Needs_docs:  0               |   Needs_tests:  0     
Needs_better_patch:  0               |  
-------------------------------------+--------------------------------------
Changes (by kmtracey):

  * status:  new => closed
  * resolution:  => invalid

Comment:

 Replying to [comment:1 nahuel]:
 > FIY:
 > I created my htpasswd file with apache2 "htpasswd -d" command, and try
 to import users in the django users database.

 I believe the problem here is in how you are creating the
 hashtype$salt$hash values from your htpasswd file.  Yes, crypt is
 documented to include the 2-character salt in the result of crypt.crypt
 (http://docs.python.org/library/crypt.html).  Looking at the example on
 that page, that means when checking password you use as salt the encoded
 password value.  So for Django's hashtype$salt$hash you should either be
 using the same value for the salt and hash parts, or the first two
 characters of hash as salt.  So for your particular example, either
 'crypt$MWCXuav1H6.Tw$MWCXuav1H6.Tw' or 'crypt$MW$MWCXuav1H6.Tw'.  It
 sounds like instead you have taken the value from the htpasswd file and
 split it into 2-character salt and hash.  Don't do that -- the 2-character
 salt has to be included in the hash value as well.

 (Also btw the change you propose to line 45 would break password checking
 for the non-crypt cases.)

-- 
Ticket URL: <http://code.djangoproject.com/ticket/11912#comment:2>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to