More versitile (ht)passwd file support

27 views
Skip to first unread message

Alex King

unread,
Dec 5, 2014, 7:32:55 PM12/5/14
to passli...@googlegroups.com
I'm interested in a module like the Apache application helper.  I want to manage password files for libpam-pwdfile (https://github.com/tiwe-de/libpam-pwdfile), through ansible.  Ansible has a htpasswd module which uses "from passlib.apache import HtpasswdFile", but this naturally only supports the hashes used by apache.  If there were a generic passwd file application helper that allowed additional hashes, this could be used by ansible to support libpam-pwdfile and other password file types.

There is only one format common to apache httpasswd and libpam-pwdfile - the original DES.  This works but I'd prefer not to use it.

I'm happy to write code for it if there is a chance that it will be incorporated into the release.

Cheers,
Alex

Eli Collins

unread,
Dec 6, 2014, 1:10:43 PM12/6/14
to passli...@googlegroups.com
It's not that well advertised in the documentation, but it's actually
possible to do that with the existing HtpasswdFile class. The
constructor accepts an optional "context" parameter, which can be used
to completely override the set of supported hashes by passing in a
custom CryptContext object. If you're on a linux / bsd system,
there's even a the pre-built CryptContext that should match your
system's crypt(), and defaults to something much stronger
(sha512_crypt on linux):

>>> from passlib.apache import HtpasswdFile
>>> from passlib.hosts import host_context
>>> ht = HtpasswdFile("/some/file", context=host_context)

It looks like libpam-pwdfile will accept the "user:hash" format the
HtpasswdFile works with... but let me know if you have trouble on that
front. While HtpasswdFile is (currently) very rigid in it's file
format, I'm certainly open to expanding the that module ... especially
in the direction of /etc/passwd & /etc/shadow -style files.

Hope that helps!

- Eli
> --
> You received this message because you are subscribed to the Google Groups
> "passlib-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to passlib-user...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Eli Collins el...@assurancetechnologies.com
Software Development & I.T. Consulting
Assurance Technologies www.assurancetechnologies.com

Alex King

unread,
Dec 6, 2014, 11:48:21 PM12/6/14
to passli...@googlegroups.com
Excellent, that's exactly what I needed. I see now it is in the
documentation, if I read it thoroughly.

I'll put in a feature request to ansible to be able to use it.

Thanks,
Alex
Reply all
Reply to author
Forward
0 new messages