during my coding session/hour today, I thought about the HtPasswdChecker. IMHO compatibility to apache's htpasswd files is a major point here so we need to support Apache's md5 and sha1 algorithms.
There is a small, pure python module for Apache/md5 under a liberal license. What about embedding this module in authority/lib or something like that?
> during my coding session/hour today, I thought about the HtPasswdChecker. > IMHO compatibility to apache's htpasswd files is a major point here so we > need to support Apache's md5 and sha1 algorithms.
> There is a small, pure python module for Apache/md5 under a liberal > license. What about embedding this module in authority/lib or something > like that?
The library seems to have no single license as the code (the ideas) comes from different sources: - FreeBSD (beer-ware license) - Crypt::PasswdMD5 (Perl): same terms as Perl itself, GPL v2(+?), Artistic License) - Michal Wallace (public domain)
Quite a license mess, but I think these licenses do not place additional license burdens on authority beyond the conditions of a 3-clause BSD.
> The library seems to have no single license as the code (the ideas) comes > from > different sources: > - FreeBSD (beer-ware license) > - Crypt::PasswdMD5 (Perl): same terms as Perl itself, GPL v2(+?), > Artistic > License) > - Michal Wallace (public domain)
> Quite a license mess, but I think these licenses do not place additional > license burdens on authority beyond the conditions of a 3-clause BSD.
> fs
I think we can probably integrate this without too much difficulty. I'd like to eventually allow the user to configure which hash algorithm to use (in the config file...maybe "authority.checker.hashtype") with at least the following options: - crypt - md5 (python) - md5 (Apache) - sha1 (Apache can use this too, not sure if python implementation is compatible though)
You're right, the licensing is a bit of a mess though.
Kevin Horn wrote: > I think we can probably integrate this without too much difficulty. I'd > like to eventually allow the user to configure which hash algorithm to use > (in the config file...maybe "authority.checker.hashtype") with at least the > following options: (...)
I don't think we should add a configuration option for that: Just parse the htaccess file and use the appropriate algorithm (Apache's htpasswd tool can create files with different hash algorithms). IMHO a configuration mechanism is only needed if we had to add a new hash to the database.
> Kevin Horn wrote: > > I think we can probably integrate this without too much difficulty. I'd > > like to eventually allow the user to configure which hash algorithm to > use > > (in the config file...maybe "authority.checker.hashtype") with at least > the > > following options: (...)
> I don't think we should add a configuration option for that: Just parse > the > htaccess file and use the appropriate algorithm (Apache's htpasswd tool > can > create files with different hash algorithms). IMHO a configuration > mechanism > is only needed if we had to add a new hash to the database.
> fs
That could work, but it would probably preclude using python's md5 hash in situations where you aren't using apache. How would you tell the difference between them? While Apache compatibility is the main reason I wanted to include this checker, I had also considered that people could use it as a basic method of password storage, even when Apache wasn't present.
|
