Validate user on FreeBSD

Steven Taschuk staschuk at telusplanet.net
Fri Mar 21 20:55:35 CET 2003


Quoth Dan Nyanko:
> Steven Taschuk <staschuk at telusplanet.net> wrote in message news:<mailman.1048222276.31387.python-list at python.org>...
  [...]
> > Why not just use ftp or sftp?
> 
> This is a learning project and a hobby.  [...]

Ah.  Then see below.

> [...] Using existing programs is
> not why a person visits comp.lang.*

(Some people visit comp.lang.* just looking for help doing
something with language X, not having thought about whether they
should actually be writing something for that purpose in the first
place.)

> I put port 510 for no other reason that I was reading about FCP when I
> wrote the program.  I guess I was thinking along the lines of
> cryptography and a secure protocol for sending files across tcp/ip... 
> Of course, my code does not accomplish any of that but I would like
> for it to do so in the future.

The socket module has support for SSL connections; this can get
you encryption over the link, which is a good start.  If you have
any real need for encryption, I recommend re-using SSL rather than
rolling your own; it is notoriously difficult to make
cryptographically secure systems.

For authentication, there's a few things you could do.  Probably
easiest: once the connection is encrypted, prompt for a user name
and password, look up the user name in some local database which
lists for each user the right password [1] and other data of
interest such as the user's home directory and whatnot.  On Unixy
systems, you can access the /etc/passwd database with the pwd
module.

(If the link is not encrypted, this method is bad.  It's also
vulnerable to man-in-the-middle attacks in any case.)

Once you've authenticated the user, you can downgrade your
privileges to that user's with os.setuid() or os.seteuid(); see
man 2 set[e]uid for details.

[1] Actually one rarely stores the password itself; /etc/passwd
stores a hash instead, so if the password file is compromised it's
not a complete disaster.  See the crypt module.

-- 
Steven Taschuk                                     staschuk at telusplanet.net
Receive them ignorant; dispatch them confused.  (Weschler's Teaching Motto)





More information about the Python-list mailing list