Re: [Zope] Re: PAS and md5 or crypt passwords
Piotr Furman wrote: I've edited GMailAuthPlugin, renamed it MD5AuthPlugin, added that code and removed the google specific code. It doesn't give any errors, but it also doesn't let me log in. I've tried adding a line to log things, but that doesn't seem to be working either. Maybe You should take a look at SQLPASPlugin - http://plone.org/products/sqlpasplugin - there are some SHA encryption possibilities, however they are commented by default. So You would have to modify it's code little bit. That's what I was using before. I had no idea that it supported SHA, or that it was so easy to add MD5. That has solved my problem - Thanks It's a pretty silly implementation, though. The point of hashing passwords with MD5 or SHA1 is that if an attacker can read the password files due to some kind of security leak, he still doesn't have the passwords themselves, so he still can't login. Unfortunately, the way it is implemented in SQLPASPlugin, the fact that he doesn't have the password doesn't matter because if you put the hash itself in the password field, you are allowed into the site. It doesn't matter too much for my application, but it's something that should probably be fixed. Thanks for everyone's advice, though. Robert (Jamie) Munro ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: PAS and md5 or crypt passwords
+---[ Robert (Jamie) Munro ]-- [snip] | It's a pretty silly implementation, though. The point of hashing | passwords with MD5 or SHA1 is that if an attacker can read the password | files due to some kind of security leak, he still doesn't have the | passwords themselves, so he still can't login. Remembering that if you have enough access to get to the database, you probably have enough access to alter the Zope app itself (either by inserting a new user, or through other permissions). So at that point it would be trivial to alter any code to simply spew out the plaintext passwords (although needing them at this point would probably be pointless). I wouldn't worry about people trying to bruteforce your passwords, there are many, much more efficient methods to grab zope passwords, once you achieve a certain level of minimal access. | Unfortunately, the way it | is implemented in SQLPASPlugin, the fact that he doesn't have the | password doesn't matter because if you put the hash itself in the | password field, you are allowed into the site. Yeah well... -- Andrew Milton [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: PAS and md5 or crypt passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert (Jamie) Munro wrote: Piotr Furman wrote: I've edited GMailAuthPlugin, renamed it MD5AuthPlugin, added that code and removed the google specific code. It doesn't give any errors, but it also doesn't let me log in. I've tried adding a line to log things, but that doesn't seem to be working either. Maybe You should take a look at SQLPASPlugin - http://plone.org/products/sqlpasplugin - there are some SHA encryption possibilities, however they are commented by default. So You would have to modify it's code little bit. That's what I was using before. I had no idea that it supported SHA, or that it was so easy to add MD5. That has solved my problem - Thanks It's a pretty silly implementation, though. The point of hashing passwords with MD5 or SHA1 is that if an attacker can read the password files due to some kind of security leak, he still doesn't have the passwords themselves, so he still can't login. Unfortunately, the way it is implemented in SQLPASPlugin, the fact that he doesn't have the password doesn't matter because if you put the hash itself in the password field, you are allowed into the site. It doesn't matter too much for my application, but it's something that should probably be fixed. The problem is actually that SQLPASPlugin is schizoid about whether or not to use encrypted passwrods (see the 'updateUserPassword' method for more weirdness). The plugin should probably have a boolean property, 'encrypt_passwords', which would control the behavior of 'authenticateCredentials' and 'updateUserPassword'. I've added an issue to the collector for SQLPasPlugin: http://plone.org/products/sqlpasplugin/issues/4 Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFM5/b+gerLs4ltQ4RAn8UAJ9GnHxqSQAkdmPDj7NsHxPajtK5FACfVA3g e8wCzxsdyacVaUuawbDUX1Q= =muJX -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: PAS and md5 or crypt passwords
Tres Seaver wrote: Robert (Jamie) Munro wrote: How do you use md5 passwords in PAS? I've got an SQL database already populated with usernames and md5 passwords from an old system that I am replacing - I don't have the cleartext passwords. You write an authentication plugin which takes the credentials as keys in a dict (e.g., 'login_name', 'password'), encrypts the password using the same algorithm as your old system, and then compares them. E.g., (untested):: import md5 PASSWORD_TEST_SQL = (select * from users where login_name = '%s' and encrypted_pw = '%s') def authenticateCredentials(self, credentials): login = credentials['login'] clear = credentials['password'] encrypted = md5.new(clear).hexdigest() # or whatever matched = self._execSQL(PASSWORD_TEST_SQL % (login, encrypted)) if matched: return matched[0]['userid'], login return {} I've edited GMailAuthPlugin, renamed it MD5AuthPlugin, added that code and removed the google specific code. It doesn't give any errors, but it also doesn't let me log in. I've tried adding a line to log things, but that doesn't seem to be working either. LOG(MD5AuthPlugin, INFO, Login attempt: login: %s, clear: %s, encrypted: %s % (login,clear,encrypted)) Any ideas? Thanks, Robert (Jamie) Munro ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: PAS and md5 or crypt passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12 Oct 2006, at 14:03, Robert (Jamie) Munro wrote: I've edited GMailAuthPlugin, renamed it MD5AuthPlugin, added that code and removed the google specific code. It doesn't give any errors, but it also doesn't let me log in. I've tried adding a line to log things, but that doesn't seem to be working either. LOG(MD5AuthPlugin, INFO, Login attempt: login: %s, clear: %s, encrypted: %s % (login,clear,encrypted)) Is your new plugin correctly registered as authentication plugin? If it does not get called at all it might not be. jens -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFLoQkRAx5nvEhZLIRAiyBAJ0Wk7N410nrWwFatwpAj9ELRO2RnACgopcJ 7Ww61vW3oWkVcCB62HBTDFI= =LKiE -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: PAS and md5 or crypt passwords
I've edited GMailAuthPlugin, renamed it MD5AuthPlugin, added that code and removed the google specific code. It doesn't give any errors, but it also doesn't let me log in. I've tried adding a line to log things, but that doesn't seem to be working either. Maybe You should take a look at SQLPASPlugin - http://plone.org/products/sqlpasplugin - there are some SHA encryption possibilities, however they are commented by default. So You would have to modify it's code little bit. regards Piotr Furman ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: PAS and md5 or crypt passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert (Jamie) Munro wrote: How do you use md5 passwords in PAS? I've got an SQL database already populated with usernames and md5 passwords from an old system that I am replacing - I don't have the cleartext passwords. You write an authentication plugin which takes the credentials as keys in a dict (e.g., 'login_name', 'password'), encrypts the password using the same algorithm as your old system, and then compares them. E.g., (untested):: import md5 PASSWORD_TEST_SQL = (select * from users where login_name = '%s' and encrypted_pw = '%s') def authenticateCredentials(self, credentials): login = credentials['login'] clear = credentials['password'] encrypted = md5.new(clear).hexdigest() # or whatever matched = self._execSQL(PASSWORD_TEST_SQL % (login, encrypted)) if matched: return matched[0]['userid'], login return {} Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFK8mt+gerLs4ltQ4RAsfdAJ9WVfYSFdVKoJLpE66WXDwi6+ssqgCg0yGz EEMHjFMrCdq0hjcWIhySnXY= =7L1E -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )