Jean-Paul: On Mon, 2010-02-15 at 13:25 +0000, exar...@twistedmatrix.com wrote: > >>What do you mean when you say you're using plain text passwords? > >>Authentication involves multiple parties handling the password in > >>multiple ways, and the "plain text"-ness of the password changes from > >>step to step. > > > >I mean that the the server authenticates the client using a NOT HASHED > >password. In my case using a VARCHAR field in a PostgreSQL table > >> >from hashlib import md5 > >> >md5Password = md5(password).hexdigest() > >> > > > I'm confused here. I don't see this code in your checker implementation > in the attached code. Is this code running someplace else?
No, of course you can not. This is only a little python script I use to produce I hashed password that I can put in the VARCHAR field of my PostgreSQL table. This way I can make 'pure-ftpd' authenticate using md5 hashed passwords, but for that reason I have to change pb.py code at twisted, swaping '.digest()' with '.hexdigest()'. That way it works but at the price of having to change original twisted code, which is not the option I want to support. > >> >then it does not authenticate (I use > >> >credentials.checkMD5Password(password) at the checker class) > >> > > >> >Then after reading > >> > > >> >twisted/spread/pb.py > >> > > >> >I saw that everything is done in the functions: > >> > > >> >respond(challenge, password) > >> >challenge() > >> > > >> >and the methods > >> > > >> >checkMD5Password(self, md5Password) > >> >checkPassword(self, password) > >> > > >> >at the > >> > > >> >class _PortalAuthChallenger(Referenceable, _JellyableAvatarMixin) > >> > > >> >By changing digest() with hexdigest(), it works. > > Indeed. `checkMD5Password` needs to be passed the MD5 digest of the > password, not the hex encoded MD5 digest (despite being documented as > taking the plaintext password itself). Yes I can understand that. So if I could put ha md5 hashed password in the database but using digest() instead of hexdigest() I could make the server authenticate but using 'checkMD5Password()' method directly a the checker, but as you have said this is going to be deprecated. > > > >Yes I Know. You do that at the 'respond(challenge, password)' in > >'pb.py', do you? > >> > >>Also, IUsernameMD5Password is about to be deprecated, along with the > >>checkMD5Password method of _PortalAuthChallenger. > > > >So, how should I do it in order not to be using deprecated code? I > >would > >like to know some details so that I can have a better understanding of > >how authentication is working. > > If you have the plaintext password in the PB server, then you can just > call `checkPassword` instead of `checkMD5Password` in > DBCredentialsChecker._cbAuthenticate. Yes. This is working with plaintext password in the PB server, but not with md5 hashed passwords, right? Regards -- Ramiro Alba Centre Tecnològic de Tranferència de Calor http://www.cttc.upc.edu Escola Tècnica Superior d'Enginyeries Industrial i Aeronàutica de Terrassa Colom 11, E-08222, Terrassa, Barcelona, Spain Tel: (+34) 93 739 86 46 -- Aquest missatge ha estat analitzat per MailScanner a la cerca de virus i d'altres continguts perillosos, i es considera que està net. _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
