Message343072
| Author | christian.heimes |
|---|---|
| Recipients | christian.heimes |
| Date | 2019-05-21.17:00:09 |
| SpamBayes Score | -1.0 |
| Marked as misclassified | Yes |
| Message-id | <1558458009.82.0.580344483538.issue36997@roundup.psfhosted.org> |
| In-reply-to |
| Content | |
|---|---|
The spwd module has several flaws. Especially the combination of spwd and crypt for password verification is dangerous and in almost all cases technically wrong.
# don't do this!
pw1 = spwd.getspnam(username).sp_pwd
pw2 = crypt.crypt(password, pw1)
if pw1 == pw2:
...
On BSD, Linux, and macOS, account and credential verification must go through PAM.
Also see:
https://mail.python.org/pipermail/python-dev/2019-May/157562.html
https://mail.python.org/pipermail/python-dev/2019-May/157564.html |
|
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2019-05-21 17:00:09 | christian.heimes | set | recipients: + christian.heimes |
| 2019-05-21 17:00:09 | christian.heimes | set | messageid: <1558458009.82.0.580344483538.issue36997@roundup.psfhosted.org> |
| 2019-05-21 17:00:09 | christian.heimes | link | issue36997 messages |
| 2019-05-21 17:00:09 | christian.heimes | create | |