[Zope] Re: PAS and md5 or crypt passwords

Tres Seaver tseaver at palladion.com
Mon Oct 16 11:06:03 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert (Jamie) Munro wrote:
> Piotr Furman wrote:
>>> I've edited GMailAuthPlugin, renamed it MD5AuthPlugin, added that code
>>> and removed the google specific code. It doesn't give any errors, but it
>>> also doesn't let me log in. I've tried adding a line to log things, but
>>> that doesn't seem to be working either.
>>>
>> Maybe You should take a look at SQLPASPlugin -
>> http://plone.org/products/sqlpasplugin - there are some SHA encryption
>> possibilities, however they are commented by default.
>> So You would have to modify it's code little bit.
> 
> That's what I was using before. I had no idea that it supported SHA, or
> that it was so easy to add MD5. That has solved my problem - Thanks
> 
> It's a pretty silly implementation, though. The point of hashing
> passwords with MD5 or SHA1 is that if an attacker can read the password
> files due to some kind of security leak, he still doesn't have the
> passwords themselves, so he still can't login. Unfortunately, the way it
> is implemented in SQLPASPlugin, the fact that he doesn't have the
> password doesn't matter because if you put the hash itself in the
> password field, you are allowed into the site.
> 
> It doesn't matter too much for my application, but it's something that
> should probably be fixed.

The problem is actually that SQLPASPlugin is schizoid about whether or
not to use encrypted passwrods (see the 'updateUserPassword' method for
more weirdness).  The plugin should probably have a boolean property,
'encrypt_passwords', which would control the behavior of
'authenticateCredentials' and 'updateUserPassword'.

I've added an issue to the collector for SQLPasPlugin:

  http://plone.org/products/sqlpasplugin/issues/4


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFM5/b+gerLs4ltQ4RAn8UAJ9GnHxqSQAkdmPDj7NsHxPajtK5FACfVA3g
e8wCzxsdyacVaUuawbDUX1Q=
=muJX
-----END PGP SIGNATURE-----



More information about the Zope mailing list