/
README.txt
162 lines (109 loc) · 4.34 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
================
Password Manager
================
This package provides a password manager mechanism. Password manager
is an utility object that can encode and check encoded
passwords. Beyond the generic interface, this package also provides
four implementations:
* PlainTextPasswordManager - the most simple and the less secure
one. It does not do any password encoding and simply checks password
by string equality. It's useful in tests or as a base class for
more secure implementations.
* MD5PasswordManager - a password manager that uses MD5 algorithm to
encode passwords. It adds salt to the encoded password, but the salt
is not used for encoding the password itself, so the use of salt in
it is purely cosmetical. It's generally weak against dictionary
attacks.
* SHA1PasswordManager - a password manager that uses SHA1 algorithm to
encode passwords. It has the same salt weakness as the
MD5PasswordManager.
* SSHAPasswordManager - the most secure password manager that is
strong against dictionary attacks. It's basically SHA1-encoding
password manager which also incorporates a salt into the password
when encoding it. This password manager is compatible with passwords
used in LDAP databases.
It is strongly recommended to use SSHAPasswordManager, as it's the
most secure.
The package also provides a script `zpasswd` to generate principal
entries in typical ``site.zcml`` files.
Usage
-----
It's very easy to use password managers. The
``zope.password.interfaces.IPasswordManager`` interface defines only
two methods::
def encodePassword(password):
"""Return encoded data for the given password"""
def checkPassword(encoded_password, password):
"""Return whether the given encoded data coincide with the given password"""
An extended interface, ``zope.password.interfaces.IMatchingPasswordManager``,
adds one additional method::
def match(encoded_password):
"""
Returns True when the given data was encoded with the scheme
implemented by this password manager.
"""
The implementations mentioned above are in the
``zope.password.password`` module.
Password Manager Names Vocabulary
---------------------------------
The ``zope.password.vocabulary`` module provides a vocabulary of
registered password manager utility names. It is typically registered
as an `IVocabularyFactory` utility named "Password Manager Names".
It's intended to be used with ``zope.component`` and ``zope.schema``,
so you need to have them installed and the utility registrations needs
to be done properly. The `configure.zcml` file, contained in
``zope.password`` does the registrations, as well as in
`setUpPasswordManagers` function in ``zope.password.testing`` module.
zpasswd script
--------------
``zpasswd`` is a script to generate principal entries in typical
``site.zcml`` files.
You can create a ``zpasswd`` script in your package by adding a
section like this to your ``buildout.cfg``::
[zpasswd]
recipe = z3c.recipe.dev:script
eggs = zope.password
module = zope.password.zpasswd
method = main
This will generate a script ``zpasswd`` next time you run
``buildout``.
When run, the script will ask you for all parameters needed to create
a typical principal entry, including the encrypted password.
Use::
$ bin/zpasswd --help
to get a list of options.
Using
$ bin/zpasswd -c some/site.zcml
the script will try to lookup any password manager you defined and
registered in your environment. This is lookup is not necessary if you
go with the standard password managers defined in `zope.password`.
A typical ``zpasswd`` session::
$ ./bin/zpasswd
Please choose an id for the principal.
Id: foo
Please choose a title for the principal.
Title: The Foo
Please choose a login for the principal.
Login: foo
Password manager:
1. Plain Text
2. MD5
3. SHA1
4. SSHA
Password Manager Number [4]:
SSHA password manager selected
Please provide a password for the principal.
Password:
Verify password:
Please provide an optional description for the principal.
Description: The main foo
============================================
Principal information for inclusion in ZCML:
<principal
id="foo"
title="The Foo"
login="foo"
password="{SSHA}Zi_Lsz7Na3bS5rz4Aer-9TbqomXD2f3T"
description="The main foo"
password_manager="SSHA"
/>