On Mon, 2007-01-01 at 08:56 -0800, Ryan Roth wrote:
> I will redo it with crypt then. BTW it does work. It takes the stored
> password hash, then it hashes the supplied password and compares them.
The patch as submitted wouldn't work (because it had the crypt line that
shouldn't have been there, as you said). No problem, we all submit
patches with accidental cruft left behind. :)
> 'saltedflavor')", was not supposed to be in there, sorry. I would like
> to use the username for the salt that way I can truncate it off the
> stored hash, but this is your call.
I'm going to rule with an iron fist on this one. :) If we're going to
do it at all, let's do it right. I don't fully understand the security
characteristics of using the salt as the username, but then neither do
you. But intuitively it is less secure than using a random salt.
Cryptography is hard enough, but it's also largely a solved problem. We
have existing models to follow (in this case the standard unix passwd
model), and deviating from a model that's was devised and reviewed by
security experts, been in use for years, and has well understood
security properties, seems to me to be a bad idea.
I feel compelled to quote Peter Gutmann:
"Whenever someone thinks that they can replace SSL/SSH with
something much better that they designed this morning over
coffee, their computer speakers should generate some sort of
penis-shaped sound wave and plunge it repeatedly into their
skulls until they achieve enlightenment."
So the password helper will:
1. Prompt for username and password
2. generate a salt of 8 random bytes (from the set [a–zA–Z0–9./])
gotten from /dev/urandom
3. Output username and crypt.crypt(password, "$1$%s$" % salt)
And the webserver will:
1. Read username and password from remote end
2. grab cryptpass from config file for given username
3. Parse $1$.{8}$ from cryptpass as salt.
4. Compare cryptpasss with crypt.crypt(pasword, "$1$%s%$" % salt)
Hopefully you're not too exasperated. I'm just stubborn. :)
Thanks,
Jason.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
