[Twisted-Python] Authentication with Perspective Broker and hashed password file
Jp Calderone
exarkun at divmod.com
Sat Feb 12 08:57:23 MST 2005
On Sat, 12 Feb 2005 10:34:10 +0200, Tommi Virtanen <tv at twistedmatrix.com> wrote:
>Dave Cook wrote:
> > Failure: twisted.cred.error.UnhandledCredentials: No checker for
> > twisted.spread.interfaces.IJellyable,
> > twisted.cred.credentials.IUsernameHashedPassword,
> ^^^^^^
> > twisted.cred.credentials.ICredentials,
> > twisted.spread.pb.IUsernameMD5Password
> ^^^^^^^^^^^^^^^^^^^^
> >
> > However, if I use plaintext passwords, it works fine.
> >
> > I'm working with the example in the book:
> >
> > http://twistedmatrix.com/documents/current/howto/pb-cred#auto7
> >
> > with the credential checker set to
> >
> > import sha
> > myChecker = checkers.FilePasswordDB("my_hashed_passwd_file",
> > hash =
> > lambda u, p, h: sha.new(p).hexdigest())
>
> Locally hashing the password only works when the password is transferred
> over the wire in plaintext.
>
> PB uses a challenge-response authentication, which by it's nature
> requires you to store passwords in plaintext.
>
> You need a checker for IUsernameHashedPassword. FilePasswordDB is one,
> as long as you don't pass it the argument hash.
To extend what Tommi is saying, you could implement your own login
negotiation sequence for PB which does transfer a password over the
wire in plaintext, which would allow you to use locally hashed
passwords. This will only be usable with PB/SSL, of course (unless
you don't mind sharing your passwords with everyone else on the 'net).
PBClientFactory.login is provided primarily as a convenience, since
it covers most people's authentication requirements. It is implemented
in terms of other, "normal" PB method calls, so creating an alternate
login negotiation sequence is just a matter of calling different methods
with different arguments.
Jp
More information about the Twisted-Python
mailing list