Opened 17 years ago

Closed 13 years ago

#6028 closed New feature (wontfix)

add compatibility with glibc2 MD5-based crypt passwords

Reported by: Antti Kaihola Owned by: nobody
Component: contrib.auth Version: dev
Severity: Normal Keywords: auth password crypt mp5
Cc: philipp@… Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In [5073] support for Unix DES crypt passwords was added (see #3316 for discussion).

Many systems use MD5-based crypt shadow passwords (see e.g. man 3 crypt or its on-line version, under heading "GNU Extension"). This extension to the crypt library prefixes the encrypted password with "$1$<8-character-salt>$" instead of the 2-character salt.

Django uses dollar signs ($) to delimit the algorithm, salt and encrypted password in the contrib.auth.models.User.password string. The choice of delimiter collides with glibc2 crypt. Apart from that MD5 crypt passwords should just work with the current code.

I bumped into this in a project where I need to move a number of Linux user accounts along with their passwords to Django.

The first solution which comes to mind is to add another algorithm name, e.g. "md5-crypt", and add its own splitting parser to replace the current one.

Attachments (3)

md5-crypt.diff (709 bytes ) - added by Antti Kaihola 17 years ago.
use "crypt" as name for both DES and MD5 crypt algorithms and detect MD5 by examining the salt
md5-crypt-as-algo-name.diff (1.2 KB ) - added by Antti Kaihola 17 years ago.
algorithm name must be explicitly set to "md5-crypt" for MD5 crypt passwords; salt must still start with $1
md5-crypt-as-algo-name-plus-autodetect.diff (1.2 KB ) - added by Antti Kaihola 17 years ago.
detect MD5 crypt passwords by checking if salt begins with "$1" for both "md5-crypt" and "crypt" as algorithm name

Download all attachments as: .zip

Change History (11)

by Antti Kaihola, 17 years ago

Attachment: md5-crypt.diff added

use "crypt" as name for both DES and MD5 crypt algorithms and detect MD5 by examining the salt

by Antti Kaihola, 17 years ago

Attachment: md5-crypt-as-algo-name.diff added

algorithm name must be explicitly set to "md5-crypt" for MD5 crypt passwords; salt must still start with $1

by Antti Kaihola, 17 years ago

detect MD5 crypt passwords by checking if salt begins with "$1" for both "md5-crypt" and "crypt" as algorithm name

comment:1 by Antti Kaihola, 17 years ago

Has patch: set

The above three alternate patches offer three different conventions for specifying MD5 crypt passwords.

The first one doesn't add a new algorithm name. It detects and correctly parses MD5 crypt passwords when the salt part of the password string starts with "$1".

The second one adds "md5-crypt" as a new algorithm name, and MD5 crypt passwords must use it.

The third one adds the "md5-crypt" algorithm name, but also auto-detects MD5 crypt passwords when "crypt" is used as the algorithm name.

comment:2 by Simon G <dev@…>, 17 years ago

Triage Stage: UnreviewedDesign decision needed

akaihola - can you raise this on django-dev?

comment:4 by Philipp Wollermann, 15 years ago

Cc: philipp@… added

I'd like to raise this one again - as far as I can see, these patches still apply cleanly to trunk and provide some nice functionality with regards to exchanging Django authentication credentials with Linux authentication. Was there a reason for not accepting the patch?

comment:5 by Antti Kaihola, 15 years ago

#9194 is somewhat related (allow additional hashing algorithms for passwords).

comment:6 by Gabriel Hurley, 14 years ago

Component: Contrib appscontrib.auth

comment:7 by Gabriel Hurley, 14 years ago

Severity: Normal
Type: New feature

comment:8 by Alex Gaynor, 13 years ago

Easy pickings: unset
Resolution: wontfix
Status: newclosed
UI/UX: unset

While we don't have it yet, Paul McMillan and others are working on a more proper infrastructure for allowing different password hashing schemes. This will be able to live outside Django once it lands, and thus no action should be taken inside Django for this.

Note: See TracTickets for help on using tickets.
Back to Top