Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

BOFH excuse #276: U.S. Postal Service


comp / comp.lang.python / Re: Password Hash Validation (Posting On Python-List Prohibited)

SubjectAuthor
* Password Hash Validation (Posting On Python-List Prohibited)Lawrence D'Oliveiro
+* Re: Password Hash Validation (Posting On Python-List Prohibited)Paul Rubin
|`* Re: Password Hash Validation (Posting On Python-List Prohibited)Lawrence D'Oliveiro
| `* Re: Password Hash Validation (Posting On Python-List Prohibited)Lawrence D'Oliveiro
|  `- Re: Password Hash Validation (Posting On Python-List Prohibited)Lawrence D'Oliveiro
`* Re: Password Hash Validation (Posting On Python-List Prohibited)Gordinator
 `- Re: Password Hash Validation (Posting On Python-List Prohibited)Lawrence D'Oliveiro

1
Subject: Password Hash Validation (Posting On Python-List Prohibited)
From: Lawrence D'Oliv
Newsgroups: comp.lang.python
Organization: A noiseless patient Spider
Date: Wed, 19 Jun 2024 07:36 UTC
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: ldo@nz.invalid (Lawrence D'Oliveiro)
Newsgroups: comp.lang.python
Subject: Password Hash Validation (Posting On Python-List Prohibited)
Date: Wed, 19 Jun 2024 07:36:20 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 22
Message-ID: <v4u1pk$1rq9m$3@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 19 Jun 2024 09:36:21 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="327af81cdd6b205571c6e09e912bd95d";
logging-data="1960246"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18Je1RIwFFPobN31ypTHaVo"
User-Agent: Pan/0.158 (Avdiivka; )
Cancel-Lock: sha1:/O/nGVUWVw0zNoeoeRwE8l39sYA=
View all headers

I am writing code to validate entered user passwords against hashes
served up from /etc/shadow via LDAP. I had previously used passlib
<https://passlib.readthedocs.io> to do the hashing. But now I discover
it is not keeping up; for example, Debian and other distros are now
using yescrypt (hashes with “$y$” prefix), but passlib has no support
for that.

However, one language that does seem able to keep up to date is Perl.
So here’s my current password validation function:

def validate_password(password, hash) :
"hashes password using the algorithm and salt prefix from hash, and" \
" returns whether the result matches hash."
outhash = subprocess.check_output \
(
args = ("perl", "-e", "print crypt($ENV{\"PW\"}, $ENV{\"HASH\"});"),
env = {"PW" : password, "HASH" : hash},
text = True
).strip()
return \
outhash == hash
#end validate_password

Subject: Re: Password Hash Validation (Posting On Python-List Prohibited)
From: Gordinator
Newsgroups: comp.lang.python
Organization: usenet-news.net
Date: Wed, 19 Jun 2024 16:29 UTC
References: 1
Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!news.gegeweb.eu!gegeweb.org!usenet-fr.net!feeder1-2.proxad.net!proxad.net!feeder1-1.proxad.net!193.141.40.65.MISMATCH!npeer.as286.net!npeer-ng0.as286.net!peer03.ams1!peer.ams1.xlned.com!news.xlned.com!peer03.ams4!peer.am4.highwinds-media.com!news.highwinds-media.com!fx06.ams4.POSTED!not-for-mail
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Password Hash Validation (Posting On Python-List Prohibited)
Newsgroups: comp.lang.python
References: <v4u1pk$1rq9m$3@dont-email.me>
Content-Language: en-US
From: gordinator@gordinator.org (Gordinator)
In-Reply-To: <v4u1pk$1rq9m$3@dont-email.me>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Lines: 27
Message-ID: <iHDcO.61916$bHO6.47547@fx06.ams4>
X-Complaints-To: abuse@usenet-news.net
NNTP-Posting-Date: Wed, 19 Jun 2024 16:29:02 UTC
Organization: usenet-news.net
Date: Wed, 19 Jun 2024 17:29:01 +0100
X-Received-Bytes: 2066
View all headers

On 19/06/2024 08:36, Lawrence D'Oliveiro wrote:
> I am writing code to validate entered user passwords against hashes
> served up from /etc/shadow via LDAP. I had previously used passlib
> <https://passlib.readthedocs.io> to do the hashing. But now I discover
> it is not keeping up; for example, Debian and other distros are now
> using yescrypt (hashes with “$y$” prefix), but passlib has no support
> for that.
>
> However, one language that does seem able to keep up to date is Perl.
> So here’s my current password validation function:
>
> def validate_password(password, hash) :
> "hashes password using the algorithm and salt prefix from hash, and" \
> " returns whether the result matches hash."
> outhash = subprocess.check_output \
> (
> args = ("perl", "-e", "print crypt($ENV{\"PW\"}, $ENV{\"HASH\"});"),
> env = {"PW" : password, "HASH" : hash},
> text = True
> ).strip()
> return \
> outhash == hash
> #end validate_password

What an...interesting commenting method. I would personally use
"""triple quotes""" to allow for multi-line comments, but between you
and me, that's just creating a string and allocating it nowhere.

Subject: Re: Password Hash Validation (Posting On Python-List Prohibited)
From: Lawrence D'Oliv
Newsgroups: comp.lang.python
Organization: A noiseless patient Spider
Date: Thu, 20 Jun 2024 01:00 UTC
References: 1 2
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: ldo@nz.invalid (Lawrence D'Oliveiro)
Newsgroups: comp.lang.python
Subject: Re: Password Hash Validation (Posting On Python-List Prohibited)
Date: Thu, 20 Jun 2024 01:00:35 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 12
Message-ID: <v4vuvj$27pi6$3@dont-email.me>
References: <v4u1pk$1rq9m$3@dont-email.me> <iHDcO.61916$bHO6.47547@fx06.ams4>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 20 Jun 2024 03:00:35 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="8d4a96747c03a32f35aacdb634ed6221";
logging-data="2352710"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/iZ5VR2IlZr8mPHr109neu"
User-Agent: Pan/0.158 (Avdiivka; )
Cancel-Lock: sha1:PUoQkjOFxpytzE0wyvSJPVOncGc=
View all headers

On Wed, 19 Jun 2024 17:29:01 +0100, Gordinator wrote:

> What an...interesting commenting method. I would personally use
> """triple quotes""" to allow for multi-line comments ...

But then you end up with extra space for indentation inside the strings,
and you need additional processing to strip it out afterwards.

It always seemed to me that multiline strings should follow a similar
indentation rule to statement blocks: lines after the first one must be at
least as indented as the first line, and that initial indentation is
stripped from the start of all of the lines, at compile time.

Subject: Re: Password Hash Validation (Posting On Python-List Prohibited)
From: Paul Rubin
Newsgroups: comp.lang.python
Organization: A noiseless patient Spider
Date: Thu, 20 Jun 2024 21:49 UTC
References: 1
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: no.email@nospam.invalid (Paul Rubin)
Newsgroups: comp.lang.python
Subject: Re: Password Hash Validation (Posting On Python-List Prohibited)
Date: Thu, 20 Jun 2024 14:49:16 -0700
Organization: A noiseless patient Spider
Lines: 18
Message-ID: <8734p7709v.fsf@nightsong.com>
References: <v4u1pk$1rq9m$3@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 20 Jun 2024 23:49:17 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="d2c143c886a7332f60676d11e33acbf5";
logging-data="2910040"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/tDwuPQeD7ln/H5OfD57lI"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:jwNVMiGm3wiWs6vvHBbHglWlu1k=
sha1:KZCTjvtBkARovQjNgVbakcU+t3k=
View all headers

Lawrence D'Oliveiro <ldo@nz.invalid> writes:
> However, one language that does seem able to keep up to date is Perl.
> So here’s my current password validation function:...
> outhash = subprocess.check_output \
> (
> args = ("perl", "-e", "print crypt.... )

Ugh! Better to re-implement the function in Python. I'll take a look:

https://www.openwall.com/yescrypt/

In fact that site links to Python bindings for Yescrypt:

https://github.com/0xcb/pyescrypt

I guess C bindings rather than a pure Python implementation are
necessary, since part of the idea of the function is to impede brute
force attacks by burning a lot of CPU and memory on each hash.

Subject: Re: Password Hash Validation (Posting On Python-List Prohibited)
From: Lawrence D'Oliv
Newsgroups: comp.lang.python
Organization: A noiseless patient Spider
Date: Fri, 21 Jun 2024 03:40 UTC
References: 1 2
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: ldo@nz.invalid (Lawrence D'Oliveiro)
Newsgroups: comp.lang.python
Subject: Re: Password Hash Validation (Posting On Python-List Prohibited)
Date: Fri, 21 Jun 2024 03:40:55 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 19
Message-ID: <v52so6$3019v$2@dont-email.me>
References: <v4u1pk$1rq9m$3@dont-email.me> <8734p7709v.fsf@nightsong.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 21 Jun 2024 05:40:55 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="66b3929645a80745d97b68595a297468";
logging-data="3147071"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19tB5mwJy+E4IBUkmJhsDPO"
User-Agent: Pan/0.158 (Avdiivka; )
Cancel-Lock: sha1:t02s7Rf5qrykRcNO4Qcyl5tRLHg=
View all headers

On Thu, 20 Jun 2024 14:49:16 -0700, Paul Rubin wrote:

> Lawrence D'Oliveiro <ldo@nz.invalid> writes:
>
>> However, one language that does seem able to keep up to date is Perl.
>> So here’s my current password validation function:...
>> outhash = subprocess.check_output \
>> (
>> args = ("perl", "-e", "print crypt.... )
>
> Ugh! Better to re-implement the function in Python.

I want a wrapper for crypt(3) and friends, so I automatically support any
password hashes that the system implements, now or in the future. I don’t
want to have to worry about specific hash algorithms in my code.

passlib meant well, but I think it was over-engineered for this purpose.

I think I will create my own wrapper using ctypes.

Subject: Re: Password Hash Validation (Posting On Python-List Prohibited)
From: Lawrence D'Oliv
Newsgroups: comp.lang.python
Organization: A noiseless patient Spider
Date: Fri, 21 Jun 2024 06:32 UTC
References: 1 2 3
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: ldo@nz.invalid (Lawrence D'Oliveiro)
Newsgroups: comp.lang.python
Subject: Re: Password Hash Validation (Posting On Python-List Prohibited)
Date: Fri, 21 Jun 2024 06:32:58 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 5
Message-ID: <v536qq$31qon$1@dont-email.me>
References: <v4u1pk$1rq9m$3@dont-email.me> <8734p7709v.fsf@nightsong.com>
<v52so6$3019v$2@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 21 Jun 2024 08:32:59 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="66b3929645a80745d97b68595a297468";
logging-data="3205911"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+E/h1saOkeBdP7ULXlY0ZL"
User-Agent: Pan/0.158 (Avdiivka; )
Cancel-Lock: sha1:qRwsxW2EuB0h6nYOKutXpbBJ0FQ=
View all headers

On Fri, 21 Jun 2024 03:40:55 -0000 (UTC), I wrote:

> I think I will create my own wrapper using ctypes.

Done <https://gitlab.com/ldo/nixcrypt>.

Subject: Re: Password Hash Validation (Posting On Python-List Prohibited)
From: Lawrence D'Oliv
Newsgroups: comp.lang.python
Organization: A noiseless patient Spider
Date: Fri, 12 Jul 2024 07:01 UTC
References: 1 2 3 4
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: ldo@nz.invalid (Lawrence D'Oliveiro)
Newsgroups: comp.lang.python
Subject: Re: Password Hash Validation (Posting On Python-List Prohibited)
Date: Fri, 12 Jul 2024 07:01:03 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 10
Message-ID: <v6qkbf$2tsm1$1@dont-email.me>
References: <v4u1pk$1rq9m$3@dont-email.me> <8734p7709v.fsf@nightsong.com>
<v52so6$3019v$2@dont-email.me> <v536qq$31qon$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 12 Jul 2024 09:01:04 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="fb197bc96b3192d3ade0cfb3c3776124";
logging-data="3076801"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18KZLW70jV+atH6Oc/DuUuO"
User-Agent: Pan/0.158 (Avdiivka; )
Cancel-Lock: sha1:2IKrxbPuFRU0mxIuAK6d3SwqBds=
View all headers

On Fri, 21 Jun 2024 06:32:58 -0000 (UTC), I wrote:

> On Fri, 21 Jun 2024 03:40:55 -0000 (UTC), I wrote:
>
>> I think I will create my own wrapper using ctypes.
>
> Done <https://gitlab.com/ldo/nixcrypt>.

The repo now includes an example script that exercises the various
functions of the module.

1

rocksolid light 0.9.8
clearnet tor