[Zope-dev] PAS, AuthEncoding and zope.password
Martijn Pieters
mj at zopatista.com
Sun Feb 20 09:17:53 EST 2011
On Sun, Feb 20, 2011 at 12:39, Martijn Pieters <mj at zopatista.com> wrote:
>> Yes, changing the existing interface would require a 4.0. If you'd add
>> a new interface extending the IPasswordManager one, we could do it in
>> a 3.x release.
>>
>> A new zope.password 3.x release could go into both ZTK 1.1 and 1.0, a
>> backwards incompatible 4.0 would have to wait for ZTK 1.2.
>
> Right. What would be a suitable name for the extended interface?
> IMatchingPasswordManager?
>
> I've committed a revision that implements this as an extension to the
> existing interface:
>
> http://zope3.pov.lt/trac/changeset/120458/zope.password/trunk
>
> but that's easy enough to change.
>
> I've also found that the SHA1 scheme in zope.password uses the {SHA1}
> prefix, which is incompatible with LDAP and
> AccessControl.AuthEncoding, which both use {SHA} instead. I'll change
> zope.password to support {SHA} as well, defaulting to that prefix.
I've implemented the {SHA} prefix change, as well as implement {CRYPT}
support, making zope.password useful for all schemes explicitly named
in RFC 2307, except the MD5 scheme.
The latter uses a salt by default, making it incompatible with LDAP
{MD5}. Open LDAP implements a salted MD5 scheme ({SMD5}) but places
the salt at the end of the hash, not at the beginning as the
zope.password manager implements it.
I think I can keep that one backwards compatible but disable support
for generating hashes with a salt, and add a SMD5 manager to implement
a compatible scheme.
With all the new password managers, this will be at least a 3.7
release, with a separate extended interface.
--
Martijn Pieters
More information about the Zope-Dev
mailing list