check_password() and "crypt()" passwords

[nahuel]

In [16]: (hash, salt, pwc) = 'crypt$MW$CXuav1H6.Tw'.split('$')

In [17]: crypt.crypt('bitchou',salt)
Out[17]: 'MWCXuav1H6.Tw'

In [18]: pwc
Out[18]: 'CXuav1H6.Tw'

As you see, crypt.crypt return the salt+pwc, and not only the "pwd", so in django the checked password always return false:
​http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/models.py#L39

To fix this, just change the line 45 to:

    return salt + hsh == get_hexdigest(algo, salt, raw_password) 

Or perhaps I'm wrong, but I don't think.

[nahuel]

FIY:
I created my htpasswd file with apache2 "htpasswd -d" command, and try to import users in the django users database.

[Karen Tracey]

Replying to nahuel:

FIY:
I created my htpasswd file with apache2 "htpasswd -d" command, and try to import users in the django users database.

I believe the problem here is in how you are creating the hashtype$salt$hash values from your htpasswd file. Yes, crypt is documented to include the 2-character salt in the result of crypt.crypt (​http://docs.python.org/library/crypt.html). Looking at the example on that page, that means when checking password you use as salt the encoded password value. So for Django's hashtype$salt$hash you should either be using the same value for the salt and hash parts, or the first two characters of hash as salt. So for your particular example, either 'crypt$MWCXuav1H6.Tw$MWCXuav1H6.Tw' or 'crypt$MW$MWCXuav1H6.Tw'. It sounds like instead you have taken the value from the htpasswd file and split it into 2-character salt and hash. Don't do that -- the 2-character salt has to be included in the hash value as well.

(Also btw the change you propose to line 45 would break password checking for the non-crypt cases.)