Opened 17 years ago
Closed 13 years ago
#6028 closed New feature (wontfix)
add compatibility with glibc2 MD5-based crypt passwords
Reported by: | Antti Kaihola | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | auth password crypt mp5 |
Cc: | philipp@… | Triage Stage: | Design decision needed |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
In [5073] support for Unix DES crypt passwords was added (see #3316 for discussion).
Many systems use MD5-based crypt shadow passwords (see e.g. man 3 crypt
or its on-line version, under heading "GNU Extension"). This extension to the crypt library prefixes the encrypted password with "$1$<8-character-salt>$
" instead of the 2-character salt.
Django uses dollar signs ($
) to delimit the algorithm, salt and encrypted password in the contrib.auth.models.User.password
string. The choice of delimiter collides with glibc2 crypt. Apart from that MD5 crypt passwords should just work with the current code.
I bumped into this in a project where I need to move a number of Linux user accounts along with their passwords to Django.
The first solution which comes to mind is to add another algorithm name, e.g. "md5-crypt", and add its own splitting parser to replace the current one.
Attachments (3)
Change History (11)
by , 17 years ago
Attachment: | md5-crypt.diff added |
---|
by , 17 years ago
Attachment: | md5-crypt-as-algo-name.diff added |
---|
algorithm name must be explicitly set to "md5-crypt" for MD5 crypt passwords; salt must still start with $1
by , 17 years ago
Attachment: | md5-crypt-as-algo-name-plus-autodetect.diff added |
---|
detect MD5 crypt passwords by checking if salt begins with "$1" for both "md5-crypt" and "crypt" as algorithm name
comment:1 by , 17 years ago
Has patch: | set |
---|
The above three alternate patches offer three different conventions for specifying MD5 crypt passwords.
The first one doesn't add a new algorithm name. It detects and correctly parses MD5 crypt passwords when the salt part of the password string starts with "$1
".
The second one adds "md5-crypt
" as a new algorithm name, and MD5 crypt passwords must use it.
The third one adds the "md5-crypt
" algorithm name, but also auto-detects MD5 crypt passwords when "crypt
" is used as the algorithm name.
comment:2 by , 17 years ago
Triage Stage: | Unreviewed → Design decision needed |
---|
akaihola - can you raise this on django-dev?
comment:3 by , 17 years ago
comment:4 by , 15 years ago
Cc: | added |
---|
I'd like to raise this one again - as far as I can see, these patches still apply cleanly to trunk and provide some nice functionality with regards to exchanging Django authentication credentials with Linux authentication. Was there a reason for not accepting the patch?
comment:5 by , 15 years ago
#9194 is somewhat related (allow additional hashing algorithms for passwords).
comment:6 by , 14 years ago
Component: | Contrib apps → contrib.auth |
---|
comment:7 by , 14 years ago
Severity: | → Normal |
---|---|
Type: | → New feature |
comment:8 by , 13 years ago
Easy pickings: | unset |
---|---|
Resolution: | → wontfix |
Status: | new → closed |
UI/UX: | unset |
While we don't have it yet, Paul McMillan and others are working on a more proper infrastructure for allowing different password hashing schemes. This will be able to live outside Django once it lands, and thus no action should be taken inside Django for this.
use "crypt" as name for both DES and MD5 crypt algorithms and detect MD5 by examining the salt