Hi Arthur, we are discussing about the feature described in these issues: https://github.com/openwisp/django-freeradius/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+csv
What you write is true but django supports many different hashing algorithms and allows to extend the supported algorithms by writing "Password Hasher Classes", here it is explained in detail: How Django Stores Passwords <https://docs.djangoproject.com/en/2.0/topics/auth/passwords/#how-django-stores-passwords> . That's beauiful and that's one of the reasons why I love Django and that's why OpenWISP uses Django, it's an excellent framework, top quality, stable, very extensible and very well documented. By reading its documentation we can implement it in the best, more secure and more reliable way. Fed. On Tue, May 15, 2018 at 11:56 PM Артур Скок <[email protected]> wrote: > If you don't mind i can add my two cents. I don't know source of > discussion. But may be can help. > I cannot understand problem. Do you need hash recognition from string > valule? Hashes always have predefined length. Accordingly predefined $ > position from end. > > 2018-05-15 19:38 GMT+05:00 Federico Capoano <[email protected]>: > >> Right that's better because the clear text password may contain dollar >> signs and the recognition would fail. >> If we check for the presence of "cleartext$" we can be sure that's a >> cleartext password, strip that part and take only the password from the >> string. >> >> Thanks for bringing this up, I updated the github issue: >> https://github.com/openwisp/django-freeradius/issues/115 >> >> F. >> > >> On Tue, May 15, 2018 at 5:08 PM Marco Cappellacci < >> [email protected]> wrote: >> >>> I thought about it and the cleartext password should be written with >>> dollar sign too, like cleartext$<password> >>> >>> >>> Il giorno mar 15 mag 2018 alle ore 14:07 Rohith Asrk < >>> [email protected]> ha scritto: >>> >>>> Looks good Federico. Working on it. >>>> >>>> On Tue, May 15, 2018 at 5:30 PM, Marco Cappellacci < >>>> [email protected]> wrote: >>>> >>>>> I totally agree with your solution >>>>> >>>>> Thank you >>>>> >>>>> Marco >>>>> >>>>> Il giorno mar 15 mag 2018 alle ore 13:48 Federico Capoano < >>>>> [email protected]> ha scritto: >>>>> >>>>>> This is the hashers django currently supports: >>>>>> https://docs.djangoproject.com/en/2.0/topics/auth/passwords/#included-hashers >>>>>> >>>>>> The case Marco has I think is unsalted md5. >>>>>> >>>>>> We need to figure out what's the best way to do this. >>>>>> >>>>>> Django stores the passwords in a way that the hashing algorithm is >>>>>> automatically understood, for example: >>>>>> >>>>>> >>> u = User.objects.last() >>>>>> >>> u.password >>>>>> >>>>>> 'pbkdf2_sha256$100000$mCxeZktfubPL$DKcpEYXK8dwW7qfGhrJOz0dxxsUryHcWyGi+Pj9u404=' >>>>>> >>>>>> Which indicates the password is hashed using the >>>>>> algorithm pbkdf2_sha256, which according to the django docs, is >>>>>> "django.contrib.auth.hashers.PBKDF2PasswordHasher" >>>>>> >>>>>> This other value: >>>>>> >>>>>> sha1$bd921$0ede5c7ab710dbd0af60ca21nfa871a678184849 >>>>>> >>>>>> Is salted sha1 with no iterations, notice this string has only 3 >>>>>> blocks (the previous one had 4: algorithm, iterations, salt, and hash). >>>>>> >>>>>> Unsalted md5 therefore should be something like (please verify by >>>>>> doing your own tests): >>>>>> >>>>>> unsalted_md5$vRTDfhKNvXqofawrtJXNPA== >>>>>> >>>>>> If I sum all this information up, the first and simplest solution >>>>>> that comes into my mind is the following: >>>>>> >>>>>> - the column dedicated to the password is optional, if not >>>>>> supplied passwords will be generated automatically >>>>>> - if the password column is present we have the following cases: >>>>>> - passwords should be written as django expects them (eg: like >>>>>> one of the previous password hashes I provided above), that means >>>>>> we should >>>>>> find at least one dollar sign in them, this means the users will >>>>>> have work >>>>>> a bit more to generate a correct CSV, and we will do less work, >>>>>> which is ok >>>>>> for now because we don't want to spend too much time on this, but >>>>>> it also >>>>>> mean the password must be saved as is, without further hashing >>>>>> - if the password does not contain any dollar sign, the system >>>>>> will assume it's a cleartext password and the password will be >>>>>> hashed with >>>>>> the default django password hasher >>>>>> >>>>>> Either of the cases in which the password is present should not be >>>>>> complicated to implement, it's just a matter of calling the right user >>>>>> model methods. >>>>>> >>>>>> Create a test case for each of the previous points, but for the >>>>>> hashed password case it would be better to create 3 tests, one >>>>>> for pbkdf2_sha256, one for salted sha1 and one for unsalted md5. >>>>>> >>>>>> Before working on this, please read this page entirely: >>>>>> https://docs.djangoproject.com/en/2.0/topics/auth/passwords/ >>>>>> >>>>>> I created a github issue: >>>>>> https://github.com/openwisp/django-freeradius/issues/115 >>>>>> >>>>>> Fed >>>>>> >>>>> >>>> -- >> You received this message because you are subscribed to the Google Groups >> "OpenWISP" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "OpenWISP" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
