Opened 16 years ago
Closed 13 years ago
#6028 closed New feature (wontfix)
add compatibility with glibc2 MD5-based crypt passwords
| Reported by: | Antti Kaihola | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | auth password crypt mp5 |
| Cc: | philipp@… | Triage Stage: | Design decision needed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
In [5073] support for Unix DES crypt passwords was added (see #3316 for discussion).
Many systems use MD5-based crypt shadow passwords (see e.g. man 3 crypt or its on-line version, under heading "GNU Extension"). This extension to the crypt library prefixes the encrypted password with "$1$<8-character-salt>$" instead of the 2-character salt.
Django uses dollar signs ($) to delimit the algorithm, salt and encrypted password in the contrib.auth.models.User.password string. The choice of delimiter collides with glibc2 crypt. Apart from that MD5 crypt passwords should just work with the current code.
I bumped into this in a project where I need to move a number of Linux user accounts along with their passwords to Django.
The first solution which comes to mind is to add another algorithm name, e.g. "md5-crypt", and add its own splitting parser to replace the current one.
Attachments (3)
Change History (11)
by , 16 years ago
| Attachment: | md5-crypt.diff added |
|---|
by , 16 years ago
| Attachment: | md5-crypt-as-algo-name.diff added |
|---|
algorithm name must be explicitly set to "md5-crypt" for MD5 crypt passwords; salt must still start with $1
by , 16 years ago
| Attachment: | md5-crypt-as-algo-name-plus-autodetect.diff added |
|---|
detect MD5 crypt passwords by checking if salt begins with "$1" for both "md5-crypt" and "crypt" as algorithm name
comment:1 by , 16 years ago
| Has patch: | set |
|---|
The above three alternate patches offer three different conventions for specifying MD5 crypt passwords.
The first one doesn't add a new algorithm name. It detects and correctly parses MD5 crypt passwords when the salt part of the password string starts with "$1".
The second one adds "md5-crypt" as a new algorithm name, and MD5 crypt passwords must use it.
The third one adds the "md5-crypt" algorithm name, but also auto-detects MD5 crypt passwords when "crypt" is used as the algorithm name.
comment:2 by , 16 years ago
| Triage Stage: | Unreviewed → Design decision needed |
|---|
akaihola - can you raise this on django-dev?
comment:3 by , 16 years ago
comment:4 by , 14 years ago
| Cc: | added |
|---|
I'd like to raise this one again - as far as I can see, these patches still apply cleanly to trunk and provide some nice functionality with regards to exchanging Django authentication credentials with Linux authentication. Was there a reason for not accepting the patch?
comment:5 by , 14 years ago
#9194 is somewhat related (allow additional hashing algorithms for passwords).
comment:6 by , 13 years ago
| Component: | Contrib apps → contrib.auth |
|---|
comment:7 by , 13 years ago
| Severity: | → Normal |
|---|---|
| Type: | → New feature |
comment:8 by , 13 years ago
| Easy pickings: | unset |
|---|---|
| Resolution: | → wontfix |
| Status: | new → closed |
| UI/UX: | unset |
While we don't have it yet, Paul McMillan and others are working on a more proper infrastructure for allowing different password hashing schemes. This will be able to live outside Django once it lands, and thus no action should be taken inside Django for this.
use "crypt" as name for both DES and MD5 crypt algorithms and detect MD5 by examining the salt