1. Forum
  2. Usenet
  3. COMP.LANG.PYTHON

  • Password Hash Validation (Posting On Python-List Prohibited)

    From Lawrence D'Oliveiro@21:1/5 to All on Wed Jun 19 07:36:20 2024
    I am writing code to validate entered user passwords against hashes
    served up from /etc/shadow via LDAP. I had previously used passlib <https://passlib.readthedocs.io> to do the hashing. But now I discover
    it is not keeping up; for example, Debian and other distros are now
    using yescrypt (hashes with “$y$” prefix), but passlib has no support
    for that.

    However, one language that does seem able to keep up to date is Perl.
    So here’s my current password validation function:

    def validate_password(password, hash) :
    "hashes password using the algorithm and salt prefix from hash, and" \
    " returns whether the result matches hash."
    outhash = subprocess.check_output \
    (
    args = ("perl", "-e", "print crypt($ENV{\"PW\"}, $ENV{\"HASH\"});"),
    env = {"PW" : password, "HASH" : hash},
    text = True
    ).strip()
    return \
    outhash == hash
    #end validate_password

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Gordinator@21:1/5 to Lawrence D'Oliveiro on Wed Jun 19 17:29:01 2024
    On 19/06/2024 08:36, Lawrence D'Oliveiro wrote:
    I am writing code to validate entered user passwords against hashes
    served up from /etc/shadow via LDAP. I had previously used passlib <https://passlib.readthedocs.io> to do the hashing. But now I discover
    it is not keeping up; for example, Debian and other distros are now
    using yescrypt (hashes with “$y$” prefix), but passlib has no support
    for that.

    However, one language that does seem able to keep up to date is Perl.
    So here’s my current password validation function:

    def validate_password(password, hash) :
    "hashes password using the algorithm and salt prefix from hash, and" \
    " returns whether the result matches hash."
    outhash = subprocess.check_output \
    (
    args = ("perl", "-e", "print crypt($ENV{\"PW\"}, $ENV{\"HASH\"});"),
    env = {"PW" : password, "HASH" : hash},
    text = True
    ).strip()
    return \
    outhash == hash
    #end validate_password

    What an...interesting commenting method. I would personally use
    """triple quotes""" to allow for multi-line comments, but between you
    and me, that's just creating a string and allocating it nowhere.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Lawrence D'Oliveiro@21:1/5 to Gordinator on Thu Jun 20 01:00:35 2024
    On Wed, 19 Jun 2024 17:29:01 +0100, Gordinator wrote:

    What an...interesting commenting method. I would personally use
    """triple quotes""" to allow for multi-line comments ...

    But then you end up with extra space for indentation inside the strings,
    and you need additional processing to strip it out afterwards.

    It always seemed to me that multiline strings should follow a similar indentation rule to statement blocks: lines after the first one must be at least as indented as the first line, and that initial indentation is
    stripped from the start of all of the lines, at compile time.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Rubin@21:1/5 to Lawrence D'Oliveiro on Thu Jun 20 14:49:16 2024
    Lawrence D'Oliveiro <ldo@nz.invalid> writes:
    However, one language that does seem able to keep up to date is Perl.
    So here’s my current password validation function:...
    outhash = subprocess.check_output \
    (
    args = ("perl", "-e", "print crypt.... )

    Ugh! Better to re-implement the function in Python. I'll take a look:

    https://www.openwall.com/yescrypt/

    In fact that site links to Python bindings for Yescrypt:

    https://github.com/0xcb/pyescrypt

    I guess C bindings rather than a pure Python implementation are
    necessary, since part of the idea of the function is to impede brute
    force attacks by burning a lot of CPU and memory on each hash.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Lawrence D'Oliveiro@21:1/5 to Paul Rubin on Fri Jun 21 03:40:55 2024
    On Thu, 20 Jun 2024 14:49:16 -0700, Paul Rubin wrote:

    Lawrence D'Oliveiro <ldo@nz.invalid> writes:

    However, one language that does seem able to keep up to date is Perl.
    So here’s my current password validation function:...
    outhash = subprocess.check_output \
    (
    args = ("perl", "-e", "print crypt.... )

    Ugh! Better to re-implement the function in Python.

    I want a wrapper for crypt(3) and friends, so I automatically support any password hashes that the system implements, now or in the future. I don’t want to have to worry about specific hash algorithms in my code.

    passlib meant well, but I think it was over-engineered for this purpose.

    I think I will create my own wrapper using ctypes.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Lawrence D'Oliveiro@21:1/5 to All on Fri Jun 21 06:32:58 2024
    On Fri, 21 Jun 2024 03:40:55 -0000 (UTC), I wrote:

    I think I will create my own wrapper using ctypes.

    Done <https://gitlab.com/ldo/nixcrypt>.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Lawrence D'Oliveiro@21:1/5 to All on Fri Jul 12 07:01:03 2024
    On Fri, 21 Jun 2024 06:32:58 -0000 (UTC), I wrote:

    On Fri, 21 Jun 2024 03:40:55 -0000 (UTC), I wrote:

    I think I will create my own wrapper using ctypes.

    Done <https://gitlab.com/ldo/nixcrypt>.

    The repo now includes an example script that exercises the various
    functions of the module.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)