MD5 crypt passwords

147 views
Skip to first unread message

akaihola

unread,
Dec 2, 2007, 9:04:09 AM12/2/07
to Django developers
Changeset 5073 [1] added support for Unix DES crypt passwords (see
ticket 3316 [2] for discussion).

Many systems use MD5-based crypt shadow passwords (see e.g. man 3
crypt or its on-line version [3], under heading "GNU Extension"). This
extension to the crypt library prefixes the encrypted password with
"$1$<up-to-8-character-salt>$" instead of the 2-character salt.

Django uses dollar signs ($) to delimit the algorithm, salt and
encrypted password in the contrib.auth.models.User.password string.
The choice of delimiter collides with glibc2 crypt. Apart from that
MD5 crypt passwords should just work with the current code.

I added a ticket [4] for this and submitted three different solutions
as patches.

I bumped into this issue when creating a Django-based web interface
for a virtual host based e-mail service, and I needed to migrate a
number of Linux user accounts along with their passwords to Django.

[1] http://code.djangoproject.com/changeset/5073
[2] http://code.djangoproject.com/ticket/3316
[3] http://linux.die.net/man/3/crypt
[4] http://code.djangoproject.com/ticket/6028

Yuri Baburov

unread,
Dec 2, 2007, 11:58:05 AM12/2/07
to django-d...@googlegroups.com
On Dec 2, 2007 8:04 PM, akaihola <akai...@gmail.com> wrote:
>
> Changeset 5073 [1] added support for Unix DES crypt passwords (see
> ticket 3316 [2] for discussion).
>
> Many systems use MD5-based crypt shadow passwords (see e.g. man 3
> crypt or its on-line version [3], under heading "GNU Extension"). This
> extension to the crypt library prefixes the encrypted password with
> "$1$<up-to-8-character-salt>$" instead of the 2-character salt.
>
> Django uses dollar signs ($) to delimit the algorithm, salt and
> encrypted password in the contrib.auth.models.User.password string.
> The choice of delimiter collides with glibc2 crypt. Apart from that
> MD5 crypt passwords should just work with the current code.
>
> I added a ticket [4] for this and submitted three different solutions
> as patches.
>
> I bumped into this issue when creating a Django-based web interface
> for a virtual host based e-mail service, and I needed to migrate a
> number of Linux user accounts along with their passwords to Django.

You don't really need to change django to do this.
I've solved this with User class hook:

def my_set_password(user, raw_password):
try:
this = EMailInfo.objects.get(user=user)
except EMailInfo.DoesNotExist:
this = EMailInfo(user=user)
this.username = user.username
import sha
this.password =
'{SHA}'+base64_encode(sha.new(raw_password).digest())[0].strip()
this.email= '%s@%s' % (user.username, VIRTUAL_DOMAIN)
user.emailaddress = this

def my_create_user(manager, username, email, password):
user = real_create_user(manager, username, email, password)
# user was saved after this
this = user.emailaddress
this.user = user
this.username = user.username
this.save()
return user

real_set_password = User.set_password
User.set_password = my_set_password
real_create_user = UserManager.create_user
UserManager.create_user = my_create_user

--
Best regards, Yuri V. Baburov, ICQ# 99934676, Skype: yuri.baburov,
MSN: bu...@live.com

akaihola

unread,
Dec 16, 2007, 6:44:12 PM12/16/07
to Django developers
I need to allow users to log in to my Django site with their old Unix
usernames and passwords, which may be encoded with MD5-based crypt.
Yuri, I don't believe your hook provides that functionality.

Yuri Baburov

unread,
Dec 18, 2007, 1:53:58 PM12/18/07
to django-d...@googlegroups.com
You've said, you need to migrate accounts.

With my solution all will be perfect if you will have additional table
for those old passwords.
And your solution can be even more simple -- create your own function
for authentication backend and hook only set_password(user,
raw_password) with your own your_set_password and do
real_set_password = User.set_password
User.set_password = your_set_password ;)

But your patches are useful though. +0 from me.

Btw, what did you want to achieve with discussion in django-dev?

Reply all
Reply to author
Forward
0 new messages