Message 343072 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	christian.heimes
Date	2019-05-21.17:00:09
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1558458009.82.0.580344483538.issue36997@roundup.psfhosted.org>
In-reply-to

Content
The spwd module has several flaws. Especially the combination of spwd and crypt for password verification is dangerous and in almost all cases technically wrong. # don't do this! pw1 = spwd.getspnam(username).sp_pwd pw2 = crypt.crypt(password, pw1) if pw1 == pw2: ... On BSD, Linux, and macOS, account and credential verification must go through PAM. Also see: https://mail.python.org/pipermail/python-dev/2019-May/157562.html https://mail.python.org/pipermail/python-dev/2019-May/157564.html

The spwd module has several flaws. Especially the combination of spwd and crypt for password verification is dangerous and in almost all cases technically wrong. 

    # don't do this!
    pw1 = spwd.getspnam(username).sp_pwd
    pw2 = crypt.crypt(password, pw1)
    if pw1 == pw2:
        ...

On BSD, Linux, and macOS, account and credential verification must go through PAM.

Also see:
https://mail.python.org/pipermail/python-dev/2019-May/157562.html
https://mail.python.org/pipermail/python-dev/2019-May/157564.html

History
Date	User	Action	Args
2019-05-21 17:00:09	christian.heimes	set	recipients: + christian.heimes
2019-05-21 17:00:09	christian.heimes	set	messageid: <1558458009.82.0.580344483538.issue36997@roundup.psfhosted.org>
2019-05-21 17:00:09	christian.heimes	link	issue36997 messages
2019-05-21 17:00:09	christian.heimes	create