[Repoze-dev] [issue82] Add HashFormPlugin - JavaScript hashing
Douglas Mayle doug...@mayle.org added the comment: I've commented on this patch on the mailing list, but wanted to make sure my concerns were recorded here: * `if cleartext_password.startswith('{SHA}'):` The hashing system is entirely optional at the client level, so you don't provide password protection for all clients. * The challenge used for verification is the challenge supplied by the client. This defeats entirely the point of a challenge. I see you do some calculations to restrict the range of possible challenges (based on time), but a challenge response only works if the challenge is random and server supplied. If not, then it's vulnerable to pre- computation... * You're performing an HMAC with the challenge as the key. The purpose of an HMAC is to provide authentication of the message in the case of a shared private key. In this case, the key is public (as it's sent over the wire) and that means that there is no difference between this HMAC and a standard hash. * In the case of a hashed password, you perform an HMAC of the hashed password. In a standard hashed password system, the user must know the clear text password in order to log in. The point of the hash is to prevent authentication in the case of a database leak. In your system, the hashed password is sufficient to login, and so you've removed the protection that password hashing provides. * While it's true that using a different key per request means that attackers who sniff the HMAC won't be able to use rainbow tables to compute the password from the HMAC, the passwords are still stored as standard hashed passwords, and that means that a db leak leaves all of your accounts compromised. With salted hashes, that is not true... -- topic: +repoze.who __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue82 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue82] Add HashFormPlugin - JavaScript hashing
Chris McDonough chr...@plope.com added the comment: We're actually trying to encourage people to release plugins in separate packages these days. This is a good candidate. I'm going to mark this one as resolved as a result, although really the task is to create a separate Python package that houses the hashform.py module and tests. For a sample of how others have packaged repoze.who plugins, see http://pypi.python.org/pypi/repoze.who-friendlyform/1.0b3 -- status: in-progress - resolved __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue82 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue82] Add HashFormPlugin - JavaScript hashing
Paul Johnston paul@gmail.com added the comment: Ok, here's the patch. Potential bad interaction with ticket 85 - see discussion on list __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue82 __ hashform.patch Description: Binary data ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue82] Add HashFormPlugin - JavaScript hashing
System message: __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue82 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue82] Add HashFormPlugin - JavaScript hashing
Paul Johnston paul@gmail.com added the comment: Here's a test app you can use to try it out __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue82 __import webob as wo, wsgiref.simple_server as wrs, sqlite3, sha def simple_app(environ, start_response): req = wo.Request(environ) resp = wo.Response(request=req, content_type=text/html; charset=UTF8) if 'REMOTE_USER' in environ: resp.body = 'hello world' else: resp.status = 401 return resp(environ, start_response) from repoze.who.middleware import PluggableAuthenticationMiddleware from repoze.who.classifiers import default_request_classifier from repoze.who.classifiers import default_challenge_decider from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin from repoze.who.plugins.hashform import HashFormPlugin from repoze.who.plugins.sql import SQLAuthenticatorPlugin, default_password_compare db = sqlite3.connect(':memory:') db.execute('create table users (name varchar, password varchar)') db.execute('insert into users values (?, ?)', ('paj', '{SHA}'+sha.new('test').hexdigest())) db.commit() sqlauth = SQLAuthenticatorPlugin('select name, password from users where name = :login', lambda: db, default_password_compare) auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt') form = HashFormPlugin('__do_login', rememberer_name='auth_tkt', stored_sha=True) identifiers = [('form', form),('auth_tkt',auth_tkt)] authenticators = [('sqlauth', sqlauth)] challengers = [('form',form)] mdproviders = [] middleware = PluggableAuthenticationMiddleware( simple_app, identifiers, authenticators, challengers, mdproviders, default_request_classifier, default_challenge_decider ) if __name__ == __main__: wrs.make_server('', 8000, middleware).serve_forever() ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev