Opened 8 years ago

Closed 4 years ago

#6028 closed New feature (wontfix)

add compatibility with glibc2 MD5-based crypt passwords

Reported by: akaihola Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords: auth password crypt mp5
Cc: philipp@… Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In [5073] support for Unix DES crypt passwords was added (see #3316 for discussion).

Many systems use MD5-based crypt shadow passwords (see e.g. man 3 crypt or its on-line version, under heading "GNU Extension"). This extension to the crypt library prefixes the encrypted password with "$1$<8-character-salt>$" instead of the 2-character salt.

Django uses dollar signs ($) to delimit the algorithm, salt and encrypted password in the contrib.auth.models.User.password string. The choice of delimiter collides with glibc2 crypt. Apart from that MD5 crypt passwords should just work with the current code.

I bumped into this in a project where I need to move a number of Linux user accounts along with their passwords to Django.

The first solution which comes to mind is to add another algorithm name, e.g. "md5-crypt", and add its own splitting parser to replace the current one.

Attachments (3)

md5-crypt.diff (709 bytes) - added by akaihola 8 years ago.
use "crypt" as name for both DES and MD5 crypt algorithms and detect MD5 by examining the salt
md5-crypt-as-algo-name.diff (1.2 KB) - added by akaihola 8 years ago.
algorithm name must be explicitly set to "md5-crypt" for MD5 crypt passwords; salt must still start with $1
md5-crypt-as-algo-name-plus-autodetect.diff (1.2 KB) - added by akaihola 8 years ago.
detect MD5 crypt passwords by checking if salt begins with "$1" for both "md5-crypt" and "crypt" as algorithm name

Download all attachments as: .zip

Change History (11)

Changed 8 years ago by akaihola

use "crypt" as name for both DES and MD5 crypt algorithms and detect MD5 by examining the salt

Changed 8 years ago by akaihola

algorithm name must be explicitly set to "md5-crypt" for MD5 crypt passwords; salt must still start with $1

Changed 8 years ago by akaihola

detect MD5 crypt passwords by checking if salt begins with "$1" for both "md5-crypt" and "crypt" as algorithm name

comment:1 Changed 8 years ago by akaihola

  • Has patch set
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

The above three alternate patches offer three different conventions for specifying MD5 crypt passwords.

The first one doesn't add a new algorithm name. It detects and correctly parses MD5 crypt passwords when the salt part of the password string starts with "$1".

The second one adds "md5-crypt" as a new algorithm name, and MD5 crypt passwords must use it.

The third one adds the "md5-crypt" algorithm name, but also auto-detects MD5 crypt passwords when "crypt" is used as the algorithm name.

comment:2 Changed 8 years ago by Simon G <dev@…>

  • Triage Stage changed from Unreviewed to Design decision needed

akaihola - can you raise this on django-dev?

comment:4 Changed 6 years ago by philwo

  • Cc philipp@… added

I'd like to raise this one again - as far as I can see, these patches still apply cleanly to trunk and provide some nice functionality with regards to exchanging Django authentication credentials with Linux authentication. Was there a reason for not accepting the patch?

comment:5 Changed 5 years ago by akaihola

#9194 is somewhat related (allow additional hashing algorithms for passwords).

comment:6 Changed 4 years ago by gabrielhurley

  • Component changed from Contrib apps to contrib.auth

comment:7 Changed 4 years ago by gabrielhurley

  • Severity set to Normal
  • Type set to New feature

comment:8 Changed 4 years ago by Alex

  • Easy pickings unset
  • Resolution set to wontfix
  • Status changed from new to closed
  • UI/UX unset

While we don't have it yet, Paul McMillan and others are working on a more proper infrastructure for allowing different password hashing schemes. This will be able to live outside Django once it lands, and thus no action should be taken inside Django for this.

Note: See TracTickets for help on using tickets.
Back to Top