[Twisted-Python] Plain text password with PB authentication?

Jp Calderone exarkun at intarweb.us
Fri Aug 29 21:47:17 MDT 2003 

On Fri, Aug 29, 2003 at 04:02:38PM -0600, Boersma, Matt wrote:
> First, thanks to Itamar for nudging me in the right direction.  I never
> thought of looking at the unit tests for documentation, but so far that's
> the clearest explanation of the new PBServerFactory stuff I've seen.
> 
> Here's my problem.  I have a PB client that calls login against the
> server, with a UsernamePassword object as credentials.  PB sets up for me
> nice default implementations of the authentication mechanisms, but refuses
> to send the actual password to the server, only a doubly MD5-hashed
> version of same.
> 
> No!  Stop your flames!  Trading only hashes across the wire makes perfect
> sense--in most cases.  I fully understand, and I've written nearly
> identical Java code recently to do the same.

  No need to flame.  Authenticating against plaintext passwords is fine --
as long as your transport is secure.

  Make sure your server uses listenSSL() and your client uses connectSSL().

> 
> But...in this case I want simply to delegate the actual authentication on
> the server side to an Oracle login.  That is, if I can get a
> SQLConnectionPool with the given username and password and execute a test
> query, then the user is considered authenticated.  This requires that the
> server have the actual password, not its hash.  (Oracle doesn't appear to
> support anything besides clear text login, at least through the cx_Oracle
> and DCOracle2 APIs.)
> 

  Disappointed.  Maybe some of the enterprise fell out of the box during
shipping.

> So my options are:
> - Create subclasses of PBClientFactory, CredentialsChecker, perhaps
>   others, purely to undo the strict md5-hashing behavior of PB instead
>   supply the clear text password.

  You only need to subclass PBClientFactory and PBServerFactory, nothing
else.

  Override PBServerFactory.buildProtocol() and set a different root object,
one that implements remote_login() that takes both the plaintext username
and password as arguments and returns the avatar right away (or a deferred
that is called back with the avatar eventually).

  Then override PBClientFactory.login() to send both the username and
password to the server's login() method.


> - Leave the existing authentication as-is and create a dummy
>   CredentialsChecker that always allows login.  Then do the "real"
>   authentication in a secondary method the client is required to call.

  Don't do this.

> 
> Which of these two ugly approaches is more Twisted?
> 

  The former approach isn't ugly at all.  The latter is pretty hackish.

  Once again, for emphasis: don't do this unless your transport is secure.

  Jp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/twisted-python/attachments/20030829/b96f8ba4/attachment.sig>

More information about the Twisted-Python mailing list