Opened 5 years ago

Closed 5 years ago

#11912 closed (invalid)

check_password() and "crypt()" passwords

Reported by: nahuel Owned by: nobody
Component: contrib.auth Version: 1.1
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

In [16]: (hash, salt, pwc) = 'crypt$MW$CXuav1H6.Tw'.split('$')

In [17]: crypt.crypt('bitchou',salt)
Out[17]: 'MWCXuav1H6.Tw'

In [18]: pwc
Out[18]: 'CXuav1H6.Tw'

As you see, crypt.crypt return the salt+pwc, and not only the "pwd", so in django the checked password always return false:
http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/models.py#L39

To fix this, just change the line 45 to:

    return salt + hsh == get_hexdigest(algo, salt, raw_password) 

Or perhaps I'm wrong, but I don't think.

Change History (2)

comment:1 follow-up: Changed 5 years ago by nahuel

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

FIY:
I created my htpasswd file with apache2 "htpasswd -d" command, and try to import users in the django users database.

comment:2 in reply to: ↑ 1 Changed 5 years ago by kmtracey

  • Resolution set to invalid
  • Status changed from new to closed

Replying to nahuel:

FIY:
I created my htpasswd file with apache2 "htpasswd -d" command, and try to import users in the django users database.

I believe the problem here is in how you are creating the hashtype$salt$hash values from your htpasswd file. Yes, crypt is documented to include the 2-character salt in the result of crypt.crypt (http://docs.python.org/library/crypt.html). Looking at the example on that page, that means when checking password you use as salt the encoded password value. So for Django's hashtype$salt$hash you should either be using the same value for the salt and hash parts, or the first two characters of hash as salt. So for your particular example, either 'crypt$MWCXuav1H6.Tw$MWCXuav1H6.Tw' or 'crypt$MW$MWCXuav1H6.Tw'. It sounds like instead you have taken the value from the htpasswd file and split it into 2-character salt and hash. Don't do that -- the 2-character salt has to be included in the hash value as well.

(Also btw the change you propose to line 45 would break password checking for the non-crypt cases.)

Note: See TracTickets for help on using tickets.
Back to Top