SimpleUserFolder and sha-crypted passwd
Hi I want to put my old loginmanager to rest and put something simple in. SimpleUserFolder sounds nice, but it seems to do the password matching itself, and since I have sha-crypted passwords, I need to match the passwords in encrypted format. Any ideas? If none, can u please tell me to *not* use SimpleUserFolder(perhaps you have an alternative as well?). For the record; I keep my users in a database. Thankyou! regards Bjorge -- http://www.ii.uib.no/~bjorge/smile/Smiles -- Bjørge Solli - Universitas Bergensis, Norway mailto:Bjorge@Kvarteret.no icq#29210281 MSN:bobelloco@hotmail.com Møllendalsv.19, 5009 Bergen, Norway tel:+47 55202853/91614343
Hi Update: I now know how to get the passwords to be encrypted, but I still have problems. I try to make a getUserDetails file like this: return { 'name' : 'bob', 'password' : 'test', 'roles' : 'student' } (I have tried with and without name as a parameter) It will not authenticate me! I do not wish to implement editUser,addUser and deleteUser so they look like this: print('nothing') return printed What am I missing? (I use Zope 2.6 and Python 2.1.3) I tried the testscripts in tests: test_User.py I needed to import ZODB, but after that it worked test_Unconfigured.py worked test_PythonScriptUsage.py did not work since I have my scripts inside a subfolder in Zope test_AcquireUsage.py worked but I don't understand what it does Thankyou! Bjorge On Mon, 16 Dec 2002, Bjørge Solli wrote:
Hi
I want to put my old loginmanager to rest and put something simple in. SimpleUserFolder sounds nice, but it seems to do the password matching itself, and since I have sha-crypted passwords, I need to match the passwords in encrypted format. Any ideas? If none, can u please tell me to *not* use SimpleUserFolder(perhaps you have an alternative as well?).
For the record; I keep my users in a database.
Thankyou!
regards Bjorge
-- http://www.ii.uib.no/~bjorge/smile/Smiles -- Bjørge Solli - Universitas Bergensis, Norway mailto:Bjorge@Kvarteret.no icq#29210281 MSN:bobelloco@hotmail.com Møllendalsv.19, 5009 Bergen, Norway tel:+47 55202853/91614343
On Mon, 2002-12-16 at 05:23, Bjørge Solli wrote:
Hi
I want to put my old loginmanager to rest and put something simple in. SimpleUserFolder sounds nice, but it seems to do the password matching itself, and since I have sha-crypted passwords, I need to match the passwords in encrypted format. Any ideas? If none, can u please tell me to *not* use SimpleUserFolder(perhaps you have an alternative as well?).
For the record; I keep my users in a database.
Thankyou!
I've been down that road... SHA should work roughly the same as MD5 below Adam
From exUserFolder/pgAuthSourceAlt/pgAuthSource.py
# Original cryptPassword function def cryptPassword(self, username, password): salt =username[:2] secret = crypt(password, salt) return secret # Alternate cryptPassword function, returns md5 hash of the password # def cryptPassword(self, username, password): # passhash = md5.new(password) # secret = passhash.hexdigest() # return secret # Alternate cryptPassword function, returns plain text of the password. # def cryptPassword(self, username, password): # return password
Adam Manock wrote:
On Mon, 2002-12-16 at 05:23, Bjørge Solli wrote:
Hi
I want to put my old loginmanager to rest and put something simple in. SimpleUserFolder sounds nice, but it seems to do the password matching itself, and since I have sha-crypted passwords, I need to match the passwords in encrypted format. Any ideas? If none, can u please tell me to *not* use SimpleUserFolder(perhaps you have an alternative as well?).
Have you tried it? It might just work on its own ;-) Take a look in lib/python/AccessControl/AuthEncoding.py and see if your SHA stuff is supported there. If it is, Zope's normal userfolder stuff (and therefore SUF too) will use it if it can... Lemme know how you get on, I'll help if things need changing to make it work... cheers, Chris
Hi again On Fri, 27 Dec 2002, Chris Withers wrote:
Adam Manock wrote:
On Mon, 2002-12-16 at 05:23, Bjørge Solli wrote:
I want to put my old loginmanager to rest and put something simple in. SimpleUserFolder sounds nice, but it seems to do the password matching itself, and since I have sha-crypted passwords, I need to match the passwords in encrypted format. Any ideas? If none, can u please tell me to *not* use SimpleUserFolder(perhaps you have an alternative as well?).
Have you tried it? It might just work on its own ;-)
It works fine if I use only sql with the easy table from createTable.sql and I copy all the tests/*.sql into my folder where the SUF-object is. I can also change the getUsers so it gets my correct users. But my roles are stored in different tables, and I have no good way of making a query returning on the format SUF understands(my sql-expert is working on it though;-) So what I have been trying is to make a pythonscript returning a dictionary on the prefered form; {'password':########, 'roles':[role1,role2]} In addition to this problem my encryption is different than the one normal userfolder standard, so I also change the encryption(basically I unhexlify it and encode it with binascii.b2a_base64. I also add the prefix '{SHA}' to the password after changing it.
From /lib/python/AccessControl/AuthEncoding.py I find that the SHA-scheme looks like this: class SHADigestScheme:
def encrypt(self, pw): return b2a_base64(sha.new(pw).digest())[:-1] def validate(self, reference, attempt): compare = b2a_base64(sha.new(attempt).digest())[:-1] return (compare == reference) registerScheme('SHA', SHADigestScheme()) I encrypt the password in this way: crypted = sha.new(plaintext).hexdigest() I change the passwords I get from my database in this way: prefiks = '{SHA}' passord = binascii.b2a_base64(binascii.unhexlify(crypted))[:-1] passwd = '%s%s' %(prefiks,passord) But this does not work! I really don't understand why! I also include the full sourcecode of my getUserDetails, it is partly written in norwegian, but u should understand everything important(many similar words). Parameter List: self, name import binascii student = 0 KursMedArbeider = 0 KursAns = 0 StudieVeileder = 0 passwd = '' roller = [] #finner passordet prefiks = '{SHA}' passord = binascii.b2a_base64(binascii.unhexlify(kryptert))[:-1] passwd = '%s%s' %(prefiks,passord) kryptertTab = self.SQL_findPasswd(email=name) for i in kryptertTab: kryptert = i[1] prefiks = '{SHA}' passord = binascii.b2a_base64(binascii.unhexlify(kryptert))[:-1] passwd = '%s%s' %(prefiks,passord) #passwd = passord if passwd == '': name = 'Anonymous User' #Sjekker om det er mr. anonymous :) if name == 'Anonymous User': roller.append('Anonymous') ret = {'password':passwd, 'roles':roller} return ret else: student = 1 # Sjekker om personen har roller fra personEmne rolleTab = self.SQL_RolesFromPersonEmne(email=name) for i in rolleTab: rolle = i[1] if rolle == 'KursMedArbeider': KursMedArbeider = 1 if rolle == 'KursAns': KursAns = 1 # Sjekker om personen har roller fra et institutt studieveilederTab = self.SQL_isStudieveileder(epost=name) for i in studieveilederTab: StudieVeileder = 1 rolleTab = self.SQL_RolesFromPersonRolle(email=name) for i in rolleTab: roller.append(i[1]) if student: roller.append('student') if KursMedArbeider: roller.append('KursMedArbeider') if KursAns: roller.append('KursAns') if StudieVeileder: roller.append('StudieVeileder') #slaa sammen svaret til en dict ret = {'password':passwd, 'roles':roller} return ret (yes importing binascii works!) Hope u see a terrible mistake I have done right away;-) One question I have asked is if it is possible to mix sql and py(?). And if u really do bother reading all this and help me, I am really greatfull! cheers Bjorge
Take a look in lib/python/AccessControl/AuthEncoding.py and see if your SHA stuff is supported there. If it is, Zope's normal userfolder stuff (and therefore SUF too) will use it if it can...
Lemme know how you get on, I'll help if things need changing to make it work...
cheers,
Chris
-- http://www.ii.uib.no/~bjorge/smile/Smiles -- Bjørge Solli - Universitas Bergensis, Norway mailto:Bjorge@Kvarteret.no icq#29210281 MSN:bobelloco@hotmail.com Møllendalsv.19, 5009 Bergen, Norway tel:+47 55202853/91614343
Bjørge Solli wrote:
It works fine if I use only sql with the easy table from createTable.sql and I copy all the tests/*.sql into my folder where the SUF-object is. I can also change the getUsers so it gets my correct users. But my roles are stored in different tables, and I have no good way of making a query returning on the format SUF understands(my sql-expert is working on it though;-)
Yep, you either need to get SQL return the correct format, or just use a script, as you suggest:
I encrypt the password in this way: crypted = sha.new(plaintext).hexdigest()
Is this code in a Script (Python)?
I change the passwords I get from my database in this way: prefiks = '{SHA}' passord = binascii.b2a_base64(binascii.unhexlify(crypted))[:-1] passwd = '%s%s' %(prefiks,passord)
But this does not work! I really don't understand why!
Well, break it down into steps, and see waht you're gettign at each stage. I can't see anything obviously bad but then I know next to nothing about SHA.
One question I have asked is if it is possible to mix sql and py(?).
Don't know what you mean. cheers, Chris
OK I solved it. It seems to go wrong if I try to have addUser, deleteUser, editUser and getUserNames as SQL methods and getUserDetails as a Python Script, so after ripping my hair off I changed them all to python scripts. And suddenly everything worked fine:-) I have no idea if this was due to an error on my behaf or if it is a limitation in SUF(if it is, you should try to get rid of it!). Just for the record; I did not change my encryption lines, and yes they are in a python scripts(some external). You might think of caching the username and roles in some way, is it really neccesary to query the db every single GET command? Thank you very much for all your help! Really great of everybody on this list to help eachother:o) cheers Bjorge On Mon, 6 Jan 2003, Chris Withers wrote:
Bjørge Solli wrote:
It works fine if I use only sql with the easy table from createTable.sql and I copy all the tests/*.sql into my folder where the SUF-object is. I can also change the getUsers so it gets my correct users. But my roles are stored in different tables, and I have no good way of making a query returning on the format SUF understands(my sql-expert is working on it though;-)
Yep, you either need to get SQL return the correct format, or just use a script, as you suggest:
I encrypt the password in this way: crypted = sha.new(plaintext).hexdigest()
Is this code in a Script (Python)?
I change the passwords I get from my database in this way: prefiks = '{SHA}' passord = binascii.b2a_base64(binascii.unhexlify(crypted))[:-1] passwd = '%s%s' %(prefiks,passord)
But this does not work! I really don't understand why!
Well, break it down into steps, and see waht you're gettign at each stage. I can't see anything obviously bad but then I know next to nothing about SHA.
One question I have asked is if it is possible to mix sql and py(?).
Don't know what you mean.
cheers,
Chris
-- http://www.ii.uib.no/~bjorge/smile/Smiles -- Bjørge Solli - Universitas Bergensis, Norway mailto:Bjorge@Kvarteret.no icq#29210281 MSN:bobelloco@hotmail.com Møllendalsv.19, 5009 Bergen, Norway tel:+47 55202853/91614343
Bjørge Solli wrote:
I solved it. It seems to go wrong if I try to have addUser, deleteUser, editUser and getUserNames as SQL methods and getUserDetails as a Python Script, so after ripping my hair off I changed them all to python scripts. And suddenly everything worked fine:-) I have no idea if this was due to an error on my behaf or if it is a limitation in SUF(if it is, you should try to get rid of it!).
I'm afraid it's likely to be an error on your part. There's no such limitation in SUF to my knowledge, but if you can demonstrate one I'd be happy to fix it.
Just for the record; I did not change my encryption lines, and yes they are in a python scripts(some external).
My question was relating to importing some of the stuff you're using from within Script (Python)'s. Things like sha are unlikely to have Zope security assertions and so would have failed with an UnauthorizedError when you tried to use them. If that happens as part of the user authorization process, you might experience it as your username/passwords from SUF 'not working'.
You might think of caching the username and roles in some way, is it really neccesary to query the db every single GET command?
True, I'd prefer not to throw mroe responsibility onto SUF. If this is an issue, I'd suggest looking into using Zope's standard cache managers on your getUserDetails method. If you do this and can work it into a How-To, that'd be very very cool :-) cheers, Chris
On Wed, Jan 08, 2003 at 09:03:00AM +0000, Chris Withers wrote:
I solved it. It seems to go wrong if I try to have addUser, deleteUser, editUser and getUserNames as SQL methods and getUserDetails as a Python Script, so after ripping my hair off I changed them all to python scripts. And suddenly everything worked fine:-) I have no idea if this was due to an error on my behaf or if it is a limitation in SUF(if it is, you should try to get rid of it!).
I'm afraid it's likely to be an error on your part. There's no such limitation in SUF to my knowledge, but if you can demonstrate one I'd be happy to fix it.
Bjørge, would be nice to know if you can demonstrate it and report it back to Chris Withers..
Just for the record; I did not change my encryption lines, and yes they are in a python scripts(some external).
My question was relating to importing some of the stuff you're using from within Script (Python)'s. Things like sha are unlikely to have Zope security assertions and so would have failed with an UnauthorizedError when you tried to use them. If that happens as part of the user authorization process, you might experience it as your username/passwords from SUF 'not working'.
We've allowed sha into Zope with ""allow_module('sha')"".
You might think of caching the username and roles in some way, is it really neccesary to query the db every single GET command?
True, I'd prefer not to throw mroe responsibility onto SUF. If this is an issue, I'd suggest looking into using Zope's standard cache managers on your getUserDetails method. If you do this and can work it into a How-To, that'd be very very cool :-)
I must say I'm _very_ impressed with how well it's performing without any caching. I was concerned that either the password hashing or sql queries on our 1500 user postgresdatabase would create too high load on the server, but it really isn't noticeable. Unauthenticated: % timex wget -q --output-document=/dev/null http://realfag.uib.no/uptime real 0.02 user 0.00 sys 0.00 Authenticated: % timex wget -q --output-document=/dev/null --http-user=janfrode@ii.uib.no --http-passwd=IllNeverTell http://realfag.uib.no/uptime real 0.05 user 0.00 sys 0.00 Actually the authenticated timings are a bit less stabel than unauthenticated. Goes from 0.05 seconds to ~0.10. Maybe we'll try to add sql caching later, but with this speed it doesn't seem worth the effort. BTW: I was a bit concerned when Bjørge picked SUF over exUserfolder. SUF sounded too much like a small simple hack to demonstrate that somebody knows how to hack zope. But it's really very powerfull! I think something like SUF should be the default userfolder in Zope (with some default addUser, deleteUser, getUserDetails, etc.) that gives exactly the same behaviour as the current User Folder. It's annoying that there are too many different UFs too choose from, and not all end up being actively maintained.. So, thank you for SUF! -jf
Jan-Frode Myklebust wrote:
We've allowed sha into Zope with ""allow_module('sha')"".
Where did you put that?
I must say I'm _very_ impressed with how well it's performing without any caching. I was concerned that either the password hashing or sql queries on our 1500 user postgresdatabase would create too high load on the server, but it really isn't noticeable.
ZSQL Methods do caching, perhaps you're benefitting from that :-)
Actually the authenticated timings are a bit less stabel than unauthenticated. Goes from 0.05 seconds to ~0.10.
That would make sense :-)
Maybe we'll try to add sql caching later, but with this speed it doesn't seem worth the effort.
*grinz* IIRC, You're using a python script for one of your methods, if so, have a look at the standard Zope cache managers if you run into speed problems.
SUF sounded too much like a small simple hack to demonstrate that somebody knows how to hack zope. But it's really very powerfull!
Thanks, my philosophy with software is to keep things very simple, generalised and powerful, rather than trying to cover all bases and fail.
think something like SUF should be the default userfolder in Zope (with some default addUser, deleteUser, getUserDetails, etc.)
Probably the best place to suggest it would be zope3-dev@zope.org, although if you write a proposal on dev.zope.org and get it all approved, I'd be happy to do the development work for Zope 2.7...
gives exactly the same behaviour as the current User Folder. It's annoying that there are too many different UFs too choose from, and not all end up being actively maintained..
Indeed. Hence why I wrote SUF, it shouldn't need any maintenence because it does so little.
So, thank you for SUF!
No probs :-) cheers, Chris
participants (4)
-
Adam Manock -
Bjørge Solli -
Chris Withers -
Jan-Frode Myklebust