PAS and md5 or crypt passwords
How do you use md5 passwords in PAS? I've got an SQL database already populated with usernames and md5 passwords from an old system that I am replacing - I don't have the cleartext passwords. Thanks, Robert (Jamie) Munro
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert (Jamie) Munro wrote:
How do you use md5 passwords in PAS?
I've got an SQL database already populated with usernames and md5 passwords from an old system that I am replacing - I don't have the cleartext passwords.
You write an authentication plugin which takes the credentials as keys in a dict (e.g., 'login_name', 'password'), encrypts the password using the same algorithm as your old system, and then compares them. E.g., (untested):: import md5 PASSWORD_TEST_SQL = ("select * from users where login_name = '%s' " "and encrypted_pw = '%s'") def authenticateCredentials(self, credentials): login = credentials['login'] clear = credentials['password'] encrypted = md5.new(clear).hexdigest() # or whatever matched = self._execSQL(PASSWORD_TEST_SQL % (login, encrypted)) if matched: return matched[0]['userid'], login return {} Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFK8mt+gerLs4ltQ4RAsfdAJ9WVfYSFdVKoJLpE66WXDwi6+ssqgCg0yGz EEMHjFMrCdq0hjcWIhySnXY= =7L1E -----END PGP SIGNATURE-----
Tres Seaver wrote:
Robert (Jamie) Munro wrote:
How do you use md5 passwords in PAS?
I've got an SQL database already populated with usernames and md5 passwords from an old system that I am replacing - I don't have the cleartext passwords.
You write an authentication plugin which takes the credentials as keys in a dict (e.g., 'login_name', 'password'), encrypts the password using the same algorithm as your old system, and then compares them. E.g., (untested)::
import md5 PASSWORD_TEST_SQL = ("select * from users where login_name = '%s' " "and encrypted_pw = '%s'") def authenticateCredentials(self, credentials): login = credentials['login'] clear = credentials['password'] encrypted = md5.new(clear).hexdigest() # or whatever matched = self._execSQL(PASSWORD_TEST_SQL % (login, encrypted)) if matched: return matched[0]['userid'], login return {}
I've edited GMailAuthPlugin, renamed it MD5AuthPlugin, added that code and removed the google specific code. It doesn't give any errors, but it also doesn't let me log in. I've tried adding a line to log things, but that doesn't seem to be working either. LOG("MD5AuthPlugin", INFO, "Login attempt: login: %s, clear: %s, encrypted: %s" % (login,clear,encrypted)) Any ideas? Thanks, Robert (Jamie) Munro
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12 Oct 2006, at 14:03, Robert (Jamie) Munro wrote:
I've edited GMailAuthPlugin, renamed it MD5AuthPlugin, added that code and removed the google specific code. It doesn't give any errors, but it also doesn't let me log in. I've tried adding a line to log things, but that doesn't seem to be working either.
LOG("MD5AuthPlugin", INFO, "Login attempt: login: %s, clear: %s, encrypted: %s" % (login,clear,encrypted))
Is your new plugin correctly registered as authentication plugin? If it does not get called at all it might not be. jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFLoQkRAx5nvEhZLIRAiyBAJ0Wk7N410nrWwFatwpAj9ELRO2RnACgopcJ 7Ww61vW3oWkVcCB62HBTDFI= =LKiE -----END PGP SIGNATURE-----
I've edited GMailAuthPlugin, renamed it MD5AuthPlugin, added that code and removed the google specific code. It doesn't give any errors, but it also doesn't let me log in. I've tried adding a line to log things, but that doesn't seem to be working either.
Maybe You should take a look at SQLPASPlugin - http://plone.org/products/sqlpasplugin - there are some SHA encryption possibilities, however they are commented by default. So You would have to modify it's code little bit. regards Piotr Furman
Piotr Furman wrote:
I've edited GMailAuthPlugin, renamed it MD5AuthPlugin, added that code and removed the google specific code. It doesn't give any errors, but it also doesn't let me log in. I've tried adding a line to log things, but that doesn't seem to be working either.
Maybe You should take a look at SQLPASPlugin - http://plone.org/products/sqlpasplugin - there are some SHA encryption possibilities, however they are commented by default. So You would have to modify it's code little bit.
That's what I was using before. I had no idea that it supported SHA, or that it was so easy to add MD5. That has solved my problem - Thanks It's a pretty silly implementation, though. The point of hashing passwords with MD5 or SHA1 is that if an attacker can read the password files due to some kind of security leak, he still doesn't have the passwords themselves, so he still can't login. Unfortunately, the way it is implemented in SQLPASPlugin, the fact that he doesn't have the password doesn't matter because if you put the hash itself in the password field, you are allowed into the site. It doesn't matter too much for my application, but it's something that should probably be fixed. Thanks for everyone's advice, though. Robert (Jamie) Munro
+-------[ Robert (Jamie) Munro ]---------------------- [snip] | It's a pretty silly implementation, though. The point of hashing | passwords with MD5 or SHA1 is that if an attacker can read the password | files due to some kind of security leak, he still doesn't have the | passwords themselves, so he still can't login. Remembering that if you have enough access to get to the database, you probably have enough access to alter the Zope app itself (either by inserting a new user, or through other permissions). So at that point it would be trivial to alter any code to simply spew out the plaintext passwords (although needing them at this point would probably be pointless). I wouldn't worry about people trying to bruteforce your passwords, there are many, much more efficient methods to grab zope passwords, once you achieve a certain level of minimal access. | Unfortunately, the way it | is implemented in SQLPASPlugin, the fact that he doesn't have the | password doesn't matter because if you put the hash itself in the | password field, you are allowed into the site. Yeah well... -- Andrew Milton akm@theinternet.com.au
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert (Jamie) Munro wrote:
Piotr Furman wrote:
I've edited GMailAuthPlugin, renamed it MD5AuthPlugin, added that code and removed the google specific code. It doesn't give any errors, but it also doesn't let me log in. I've tried adding a line to log things, but that doesn't seem to be working either.
Maybe You should take a look at SQLPASPlugin - http://plone.org/products/sqlpasplugin - there are some SHA encryption possibilities, however they are commented by default. So You would have to modify it's code little bit.
That's what I was using before. I had no idea that it supported SHA, or that it was so easy to add MD5. That has solved my problem - Thanks
It's a pretty silly implementation, though. The point of hashing passwords with MD5 or SHA1 is that if an attacker can read the password files due to some kind of security leak, he still doesn't have the passwords themselves, so he still can't login. Unfortunately, the way it is implemented in SQLPASPlugin, the fact that he doesn't have the password doesn't matter because if you put the hash itself in the password field, you are allowed into the site.
It doesn't matter too much for my application, but it's something that should probably be fixed.
The problem is actually that SQLPASPlugin is schizoid about whether or not to use encrypted passwrods (see the 'updateUserPassword' method for more weirdness). The plugin should probably have a boolean property, 'encrypt_passwords', which would control the behavior of 'authenticateCredentials' and 'updateUserPassword'. I've added an issue to the collector for SQLPasPlugin: http://plone.org/products/sqlpasplugin/issues/4 Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFM5/b+gerLs4ltQ4RAn8UAJ9GnHxqSQAkdmPDj7NsHxPajtK5FACfVA3g e8wCzxsdyacVaUuawbDUX1Q= =muJX -----END PGP SIGNATURE-----
Robert (Jamie) Munro wrote:
I've got an SQL database already populated with usernames and md5 passwords from an old system that I am replacing - I don't have the cleartext passwords.
If you're uising MySQL or (iirc) PostGres, then I'm pretty sure this will work out of the box if you use SimpleUserFolder... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
participants (6)
-
Andrew Milton -
Chris Withers -
Jens Vagelpohl -
Piotr Furman -
Robert (Jamie) Munro -
Tres Seaver