[Zope] UserDb extensions

Ross J. Reedstrom reedstrm@wallace.ece.rice.edu
Thu, 20 May 1999 13:19:49 -0500 (CDT)


Hey zopeists - 
I've already sent a note to the DC guys about this, but they're all busy
having fun at the Expo, so I thoungt I'd let the rest of you know, as
well. I'v been using the USerDb unsupported product, and like it. However,
I'v been bothered by seeing my users cleartext passwords in the db, so I
added crypt hashed storage to the UserDb product. This will allow the use
of unix 'passwd' style passwords (also used by apache for .htpasswd files)
in the database. It also gives a modicum of security if you db backend
is on a different machine from the Zope install, so the passwords don't
travel around in the clear in the SQL queries.

Of course, the biggest benfit is my not having to cringe when I see the
bad passwords people chose in the database ;-)

If anyone wants the patches, I can supply them. I assume it'll show up in 
the unsupported or contrib downloads at www.zope.org, once they get back.

This requires the python crypt module. My Win32 install seems to have
included it automagically. I had to copy the cryptmodule.so from my system
python install into my Zope specific one to get in to work on Linux.

Ross

P.S. A useful script, for converting an exisiting sql db: as written,
it takes a whitespace seperated file of username,password pairs and
spits out sql statements to update the passwords (this version works
with Postgresql: you may need to flavor by changing the ; or something
to work with other dbs)

from string import split,letters
from crypt import crypt
from whrandom import choice
import fileinput

for line in fileinput.input():
   name,password=split(line)
      print "update users set password='%s' where username='%s';" % (crypt(password,choice(letters)+choice(letters)),name)

-- 
Ross J. Reedstrom, Ph.D., <reedstrm@rice.edu> 
NSBRI Research Scientist/Programmer
Computer and Information Technology Institute
Rice University, 6100 S. Main St.,  Houston, TX 77005