I will redo it with crypt then. BTW it does work. It takes the stored password hash, then it hashes the supplied password and compares them. If the hashes are the same you have the same password. When I used the username for salt you could only get a direct match when both the stored username and password matched the supplied username and password. This is running on my system right now.
Also the crypt line, "password = crypt(password, '$1$'+ 'saltedflavor')", was not supposed to be in there, sorry. I would like to use the username for the salt that way I can truncate it off the stored hash, but this is your call. Jason Tackaberry wrote: > On Mon, 2007-01-01 at 08:36 -0800, Ryan Roth wrote: > >> Here is a more polite way of sending the patch, sorry >> > > No problem. However the patch does need some work: > > >> +password = crypt(password, '$1$'+ 'saltedflavor') >> > > You're using a fixed salt, which rather defeats the purpose of a salt. > You should derive the salt from /dev/urandom. (man crypt for details on > the legal values for salt.) > > >> +password = md5.new(password) >> > > This is unnecessary, and in fact if you use a random salt, cannot be > done at all. The value returned by crypt() is suitable for writing out > directly to the file. > > > >> print 'auth_user(self, username=\"%s\", password=\"%s\")' % >> (username, '******') >> realpass = config.WWW_USERS.get(username) >> - if not realpass: >> - md5user = md5.new(username + password) >> - realpass = >> config.WWW_USERS.get(base64.b32encode(md5user.digest())) >> - md5pass = md5.new(password + username) >> - password = base64.b32encode(md5pass.digest()) >> + md5pass = md5.new(password) >> if realpass == password: >> return True >> + elif realpass == b16encode(md5pass.digest()): >> + return True >> > > Hmm, did you test this? > > I can't figure out how this is supposed to work. Am I right in assuming > that the user supplied password is the variable password, and realpass > is what's written to the config file (as generated by the passwd > helper)? (realpass variable name ought to be changed to cryptpass.) In > this case the password helper stored the md5 hash of the crypted version > of the password, and this is compared to the md5 of the literal > password. Unless I'm missing something there's no way this can work. > > In any case the right approach is to get rid of all the md5 stuff, > generate a random salt from /dev/urandom in the password helper and > write out the output generated by crypt(). Then in web_types.py, parse > the salt from realpass, feed that into crypt() along with password, and > compare the return value with realpass. > > Thanks, > Jason. > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Freevo-users mailing list > Freevo-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/freevo-users > > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
