[Repoze-dev] [issue82] Add HashFormPlugin - JavaScript hashing

2009-05-20 Thread Douglas Mayle 

Douglas Mayle doug...@mayle.org added the comment:

I've commented on this patch on the mailing list, but wanted to make sure my
concerns were recorded here:
* `if cleartext_password.startswith('{SHA}'):`
   The hashing system is entirely optional at the client level, so  
you don't provide password protection for all clients.

* The challenge used for verification is the challenge supplied by the  
client.  This defeats entirely the point of a challenge.  I see you do  
some calculations to restrict the range of possible challenges (based  
on time), but a challenge response only works if the challenge is  
random and server supplied.  If not, then it's vulnerable to pre- 
computation...

* You're performing an HMAC with the challenge as the key.  The  
purpose of an HMAC is to provide authentication of the message in the  
case of a shared private key.  In this case, the key is public (as  
it's sent over the wire) and that means that there is no difference  
between this HMAC and a standard hash.

* In the case of a hashed password, you perform an HMAC of the hashed  
password.  In a standard hashed password system, the user must know  
the clear text password in order to log in.  The point of the hash is  
to prevent authentication in the case of a database leak.  In your  
system, the hashed password is sufficient to login, and so you've  
removed the protection that password hashing provides.

* While it's true that using a different key per request means that  
attackers who sniff the HMAC won't be able to use rainbow tables to  
compute the password from the HMAC, the passwords are still stored as  
standard hashed passwords, and that means that a db leak leaves all of  
your accounts compromised.  With salted hashes, that is not true...

--
topic: +repoze.who

__
Repoze Bugs b...@bugs.repoze.org
http://bugs.repoze.org/issue82
__
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

[Repoze-dev] [issue82] Add HashFormPlugin - JavaScript hashing

2009-05-20 Thread Chris McDonough 

Chris McDonough chr...@plope.com added the comment:

We're actually trying to encourage people to release plugins in separate
packages these days.   This is a good candidate.  I'm going to mark this one as
resolved as a result, although really the task is to create a separate Python
package that houses the hashform.py module and tests.  For a sample of how
others have packaged repoze.who plugins, see
http://pypi.python.org/pypi/repoze.who-friendlyform/1.0b3

--
status: in-progress - resolved

__
Repoze Bugs b...@bugs.repoze.org
http://bugs.repoze.org/issue82
__
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

[Repoze-dev] [issue82] Add HashFormPlugin - JavaScript hashing

2009-05-19 Thread Paul Johnston 

Paul Johnston paul@gmail.com added the comment:

Ok, here's the patch. Potential bad interaction with ticket 85 - see discussion
on list

__
Repoze Bugs b...@bugs.repoze.org
http://bugs.repoze.org/issue82
__

hashform.patch
Description: Binary data
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

[Repoze-dev] [issue82] Add HashFormPlugin - JavaScript hashing

2009-05-19 Thread admin 

System message:


__
Repoze Bugs b...@bugs.repoze.org
http://bugs.repoze.org/issue82
__
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

[Repoze-dev] [issue82] Add HashFormPlugin - JavaScript hashing

2009-05-19 Thread Paul Johnston 

Paul Johnston paul@gmail.com added the comment:

Here's a test app you can use to try it out

__
Repoze Bugs b...@bugs.repoze.org
http://bugs.repoze.org/issue82
__import webob as wo, wsgiref.simple_server as wrs, sqlite3, sha

def simple_app(environ, start_response):
req = wo.Request(environ)
resp = wo.Response(request=req, content_type=text/html; charset=UTF8)
if 'REMOTE_USER' in environ:
resp.body = 'hello world'
else:
resp.status = 401
return resp(environ, start_response)

from repoze.who.middleware import PluggableAuthenticationMiddleware
from repoze.who.classifiers import default_request_classifier
from repoze.who.classifiers import default_challenge_decider
from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin
from repoze.who.plugins.hashform import HashFormPlugin
from repoze.who.plugins.sql import SQLAuthenticatorPlugin, 
default_password_compare

db = sqlite3.connect(':memory:')
db.execute('create table users (name varchar, password varchar)')
db.execute('insert into users values (?, ?)', ('paj', 
'{SHA}'+sha.new('test').hexdigest()))
db.commit()

sqlauth = SQLAuthenticatorPlugin('select name, password from users where name = 
:login', lambda: db, default_password_compare)
auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt')
form = HashFormPlugin('__do_login', rememberer_name='auth_tkt', stored_sha=True)

identifiers = [('form', form),('auth_tkt',auth_tkt)]
authenticators = [('sqlauth', sqlauth)]
challengers = [('form',form)]
mdproviders = []

middleware = PluggableAuthenticationMiddleware(
simple_app,
identifiers,
authenticators,
challengers,
mdproviders,
default_request_classifier,
default_challenge_decider
)

if __name__ == __main__:
wrs.make_server('', 8000, middleware).serve_forever()
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev