[issue36997] Document that spwd is considered harmful

Christian Heimes Tue, 21 May 2019 10:00:42 -0700


New submission from Christian Heimes <[email protected]>:


The spwd module has several flaws. Especially the combination of spwd and crypt 
for password verification is dangerous and in almost all cases technically 
wrong. 

    # don't do this!
    pw1 = spwd.getspnam(username).sp_pwd
    pw2 = crypt.crypt(password, pw1)
    if pw1 == pw2:
        ...

On BSD, Linux, and macOS, account and credential verification must go through 
PAM.

Also see:
https://mail.python.org/pipermail/python-dev/2019-May/157562.html
https://mail.python.org/pipermail/python-dev/2019-May/157564.html

----------
assignee: christian.heimes
components: Documentation, Extension Modules
messages: 343072
nosy: christian.heimes
priority: high
severity: normal
stage: needs patch
status: open
title: Document that spwd is considered harmful
type: security
versions: Python 2.7, Python 3.7, Python 3.8, Python 3.9

_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue36997>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36997] Document that spwd is considered harmful

Reply via email to