[Twisted-Python] Getting my Cred interfaces right: IUsername(Hashed)?Password
Hi, I'm trying to make sure that I have my cred interfaces right. Users log in using a username and password. They provide these credentials in plaintext (over a TLSd connection). The user password is stored using a secure key derivation function (in casu, scrypt). Currently I have this gumongous User object (an Axiom Item), and I'm trying to split it up into parts. IIUC, the checker's checked interface should be IUsernamePassword (that's already the case). However, the thing I adapt a User to to check it should be an IUsernameHashedPassword, right? In the end, I doubt this matters an awful lot, unless somebody ends up implementing a IUsernameHashedPassword checker that is smart enough to read both scrypt/bcrypt headers and /etc/shadow-style $-delimited entries. cheers lvh
On 09:05 am, _@lvh.cc wrote:
Hi,
I'm trying to make sure that I have my cred interfaces right.
Users log in using a username and password. They provide these credentials in plaintext (over a TLSd connection). The user password is stored using a secure key derivation function (in casu, scrypt).
Currently I have this gumongous User object (an Axiom Item), and I'm trying to split it up into parts. IIUC, the checker's checked interface should be IUsernamePassword (that's already the case). However, the thing I adapt a User to to check it should be an IUsernameHashedPassword, right?
This isn't right. The point of declaring interfaces on the checker is so the system knows what kind of credentials it can check. If your credentials object implements a different interface than your checker declares it can check, the system won't ever ask the checker to check the credentials. It sounds like you might have something extra going on beyond the normal usage of cred, which perhaps makes the idea you've written about here work somehow - but I don't know what the extra something is, and it probably doesn't apply to cred usage in general (ie, perhaps it is a particularity of Axiom). Jean-Paul
In the end, I doubt this matters an awful lot, unless somebody ends up implementing a IUsernameHashedPassword checker that is smart enough to read both scrypt/bcrypt headers and /etc/shadow-style $-delimited entries.
cheers lvh
On Wed, Nov 14, 2012 at 1:29 PM,
This isn't right. The point of declaring interfaces on the checker is so the system knows what kind of credentials it can check. If your credentials object implements a different interface than your checker declares it can check, the system won't ever ask the checker to check the credentials.
Just to be clear: the thing being checked, i.e. the thing being provided by the user when logging in, is just an IUsernamePassword. Hence, the credentialInterfaces list on the ICredentialsChecker is [IUsernamePassword]. The only place where IUsernameHashedPassword comes in to play is storage, i.e. the thing I am checking the user-provided IUsernamePassword against. Maybe code is better: https://gist.github.com/4072062 (old.py is what it is now, new.py is what I'm proposing) Jean-Paul cheers lvh
participants (2)
-
exarkun@twistedmatrix.com
-
Laurens Van Houtven