I totally agree with your solution Thank you
Marco Il giorno mar 15 mag 2018 alle ore 13:48 Federico Capoano < [email protected]> ha scritto: > This is the hashers django currently supports: > https://docs.djangoproject.com/en/2.0/topics/auth/passwords/#included-hashers > > The case Marco has I think is unsalted md5. > > We need to figure out what's the best way to do this. > > Django stores the passwords in a way that the hashing algorithm is > automatically understood, for example: > > >>> u = User.objects.last() > >>> u.password > > 'pbkdf2_sha256$100000$mCxeZktfubPL$DKcpEYXK8dwW7qfGhrJOz0dxxsUryHcWyGi+Pj9u404=' > > Which indicates the password is hashed using the algorithm pbkdf2_sha256, > which according to the django docs, is > "django.contrib.auth.hashers.PBKDF2PasswordHasher" > > This other value: > > sha1$bd921$0ede5c7ab710dbd0af60ca21nfa871a678184849 > > Is salted sha1 with no iterations, notice this string has only 3 blocks > (the previous one had 4: algorithm, iterations, salt, and hash). > > Unsalted md5 therefore should be something like (please verify by doing > your own tests): > > unsalted_md5$vRTDfhKNvXqofawrtJXNPA== > > If I sum all this information up, the first and simplest solution that > comes into my mind is the following: > > - the column dedicated to the password is optional, if not supplied > passwords will be generated automatically > - if the password column is present we have the following cases: > - passwords should be written as django expects them (eg: like one > of the previous password hashes I provided above), that means we should > find at least one dollar sign in them, this means the users will have > work > a bit more to generate a correct CSV, and we will do less work, which > is ok > for now because we don't want to spend too much time on this, but it > also > mean the password must be saved as is, without further hashing > - if the password does not contain any dollar sign, the system will > assume it's a cleartext password and the password will be hashed with > the > default django password hasher > > Either of the cases in which the password is present should not be > complicated to implement, it's just a matter of calling the right user > model methods. > > Create a test case for each of the previous points, but for the hashed > password case it would be better to create 3 tests, one for pbkdf2_sha256, > one for salted sha1 and one for unsalted md5. > > Before working on this, please read this page entirely: > https://docs.djangoproject.com/en/2.0/topics/auth/passwords/ > > I created a github issue: > https://github.com/openwisp/django-freeradius/issues/115 > > Fed > -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
