On Mon, 2007-01-01 at 10:22 -0800, Ryan Roth wrote:
> If the WWW_USERS string has $ in it webtypes reads it as None, if I
> remove the $ it reads fine
Let's move this over to freevo-devel -- we should have done that ages
ago. :)
Anyway, I'm not sure what you mean here. Can you elaborate?
If the WWW_USERS string has $ in it webtypes reads it as None, if I
remove the $ it reads fine
Jason Tackaberry wrote:
> On Mon, 2007-01-01 at 13:15 -0500, Jason Tackaberry wrote:
>
>> On Mon, 2007-01-01 at 10:01 -0800, Ryan Roth wrote:
>>
>>> while len(salt) < 8:
>>> char = os.urandom(
On Mon, 2007-01-01 at 13:15 -0500, Jason Tackaberry wrote:
> On Mon, 2007-01-01 at 10:01 -0800, Ryan Roth wrote:
> > while len(salt) < 8:
> > char = os.urandom(1)
> > if re.match('[a-zA-Z0-9]', char) > -1:
> > salt = salt + char
>
> This is fine. A bit hungrier than the code I suggested
On Mon, 2007-01-01 at 10:01 -0800, Ryan Roth wrote:
> while len(salt) < 8:
> char = os.urandom(1)
> if re.match('[a-zA-Z0-9]', char) > -1:
> salt = salt + char
This is fine. A bit hungrier than the code I suggested, but then it
doesn't need to be fast. I'd get rid of "> -1"
Cheers,
Jas
Yeah I got it, thanks:
while len(salt) < 8:
char = os.urandom(1)
if re.match('[a-zA-Z0-9]', char) > -1:
salt = salt + char
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel
On Mon, 2007-01-01 at 09:23 -0800, Ryan Roth wrote:
> How do I get urandom to only do valid chars?
You could read in 8 characters, and then coerce them to the range needed
with modulo reduction. Something like:
import string
chars = string.letters + string.digits + '/.'
s
Ryan Roth wrote:
> How do I get urandom to only do valid chars?
with a loop..
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT &
This is the part I'm stuck on:
So the password helper will:
1. Prompt for username and password
2. generate a salt of 8 random bytes (from the set [a–zA–Z0–9./])
gotten from /dev/urandom
3. Output username and crypt.crypt(password, "$1$%s$" % salt)
How do I get urandom to o
On Mon, 2007-01-01 at 08:56 -0800, Ryan Roth wrote:
> I will redo it with crypt then. BTW it does work. It takes the stored
> password hash, then it hashes the supplied password and compares them.
The patch as submitted wouldn't work (because it had the crypt line that
shouldn't have been there
I will redo it with crypt then. BTW it does work. It takes the stored
password hash, then it hashes the supplied password and compares them.
If the hashes are the same you have the same password. When I used the
username for salt you could only get a direct match when both the stored
userna
On Mon, 2007-01-01 at 08:36 -0800, Ryan Roth wrote:
> Here is a more polite way of sending the patch, sorry
No problem. However the patch does need some work:
> +password = crypt(password, '$1$'+ 'saltedflavor')
You're using a fixed salt, which rather defeats the purpose of a salt.
You should d
Here is a more polite way of sending the patch, sorry
Index: src/helpers/passwd.py
===
--- src/helpers/passwd.py (revision 8885)
+++ src/helpers/passwd.py (working copy)
@@ -28,11 +28,11 @@
#
# --
Can you apply that for me, I cant write to SVN
Jason Tackaberry wrote:
> On Mon, 2007-01-01 at 08:11 -0800, Ryan Roth wrote:
>
>> IF the salt if stored with the password then there is no reason to
>> really use it right?
>>
>
> No, the salt increases the difficulty of dictionary-based att
Index: src/www/web_types.py
===
--- src/www/web_types.py (revision 8885)
+++ src/www/web_types.py (working copy)
@@ -1,4 +1,4 @@
-# -*- coding: iso-8859-1 -*-
+# /bin/bash: indent: command not found
# ---
On Mon, 2007-01-01 at 08:11 -0800, Ryan Roth wrote:
> IF the salt if stored with the password then there is no reason to
> really use it right?
No, the salt increases the difficulty of dictionary-based attacks
considerably.
---
IF the salt if stored with the password then there is no reason to
really use it right?
Jason Tackaberry wrote:
> On Mon, 2007-01-01 at 08:04 -0800, Ryan Roth wrote:
>
>> So would you like it changed?
>>
>
> I would, yes. :)
>
>
>
>
On Mon, 2007-01-01 at 08:04 -0800, Ryan Roth wrote:
> So would you like it changed?
I would, yes. :)
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to sh
So would you like it changed?
Jason Tackaberry wrote:
> On Mon, 2007-01-01 at 07:43 -0800, Ryan Roth wrote:
>
>> I can change it if that is what people want. I personally like not
>> having blatant visible usernames or passwords in plain text files.
>>
>
> The model from the beginning of
On Mon, 2007-01-01 at 07:43 -0800, Ryan Roth wrote:
> I can change it if that is what people want. I personally like not
> having blatant visible usernames or passwords in plain text files.
The model from the beginning of time has always been that usernames are
not secret. I think changing that
I can change it if that is what people want. I personally like not
having blatant visible usernames or passwords in plain text files.
When comparing given password to stored password how do you use the same
salt if it is random? Or is at random salt for that machine?
Jason Tackaberry wrote:
>
On Sun, 2006-12-31 at 23:20 -0800, Ryan Roth wrote:
> Your way behind :), I already changed it to use md5
No, I saw that. I was just saying not to hash the username, and to use
the conventional unix crypt command with a random salt (instead of the
username as salt). crypt(3) on any modern linux
Your way behind :), I already changed it to use md5
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through br
On Fri, 2006-12-29 at 14:47 -0800, Ryan Roth wrote:
> idea of plain text passwords. If you really want I can change it to
> md5, but since the username and password are salted with each other it
> should be pretty safe, since you would need both to crack one.
Hashing the username seems like nee
It turns out python has a md5 module built right in. I went ahead and
changed it to md5. So to summarize, since there have been so many
emails and version ;)
The passwd helper takes a username and password from the user and dumps
md5 encoded strings for the user to add to local_config.py
Th
The newest version is on the tracker page. The reason I do not like
plain text in the local_conf.py is because I keep backups of this file
on my PC, and I imagine others may do so too. I just do not like the
idea of plain text passwords. If you really want I can change it to
md5, but since t
No more local_conf.py foolery
Index: src/www/web_types.py
===
--- src/www/web_types.py(revision 8853)
+++ src/www/web_types.py(working copy)
@@ -27,8 +27,8 @@
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
I can change it to just dump the user & password to the console. Also
if a user uses crypt- for a password it WILL still work, since it checks
all passwrods against plain text first.
Duncan Webb wrote:
> Ryan Roth wrote:
>
>> OK I have stunnel working. I would like to write a howto for the
Ryan Roth wrote:
> OK I have stunnel working. I would like to write a howto for the wiki,
> but I would like to include the encrypted passwords in the how to also.
Great wiki page.
I think it would be better to use a tuple for encrypted user names and
passwords, then the password checker can de
http://freevo.sourceforge.net/cgi-bin/doc/SecureWebserver
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics thro
OK I have stunnel working. I would like to write a howto for the wiki,
but I would like to include the encrypted passwords in the how to also.
Duncan Webb wrote:
> Ryan Roth wrote:
>
>> The reason I wanted this is start making the web interface more secure.
>> I wanted to take with people a
Can you apply the current changes to svn? And I will start working on
HTTPS. None of it is yet implemented right?
Duncan Webb wrote:
> Ryan Roth wrote:
>
>> The reason I wanted this is start making the web interface more secure.
>> I wanted to take with people and see what they though abou
Ryan Roth wrote:
> The reason I wanted this is start making the web interface more secure.
> I wanted to take with people and see what they though about changing the
> web server to a secure server. This would be nice for those of us who
> forward web traffic from our public IP to our Freevo b
32 matches
Mail list logo
