python django未盐分的md5密码哈希格式 [英] python django unsalted md5 password hash format

问题描述

ive从一个旧的php应用程序中获得了一个用户表，该表中的用户使用未加盐的md5哈希作为密码，并且由于我将该应用程序迁移到django，因此我试图将所有用户都放在 auth_user 表中.

ive got an user table from an old php application where users have unsalted md5 hashes as password and because im migrating the app to django, im trying to put all users in auth_user table.

参考此帖子，可以将密码存储为不加盐的md5散列.但这对我不起作用吗?(python/2.7.6，django/1.6.1)

referring to this post, it is possible to store passwords as md5 hashes without salt. but that doesnt work for me? (python/2.7.6,django/1.6.1)

例如对于具有密码"changeme"的用户，我认为密码的格式应为md5 $$ 4cb9c8a8048fd02294477fcb1a41191a，还是我丢失了某些内容?

like e.g. for an user having password "changeme" i assume it should be in the format md5$$4cb9c8a8048fd02294477fcb1a41191a or am i missing something?

:

PASSWORD_HASHERS = (
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
    'django.contrib.auth.hashers.BCryptPasswordHasher',
    'django.contrib.auth.hashers.SHA1PasswordHasher',
    'django.contrib.auth.hashers.MD5PasswordHasher',
    'django.contrib.auth.hashers.CryptPasswordHasher',
)

如果在某种程度上相关，则在views.py中使用login_required装饰器

im using login_required decorator in views.py if somehow related:

@login_required
def index(request):
    logger.debug('index accessed from %s by %s' % (request.META.get('REMOTE_ADDR'), request.user.username) )
    member = members.objects.get(nickname=request.user.username)
    context = {'request': request, 'member': member}
    return render(request, 'voip/index.html', context)

以及以下urls.py:

and following urls.py:

url(r'^login/$', 'django.contrib.auth.views.login', {
  'template_name': 'voip/login.html'
}),
url(r'^logout/$', 'django.contrib.auth.views.logout_then_login', {
  #'template_name': 'voip/logout.html'
}),

这可以在settings.py中使用.pyAUTHENTICATION_BACKENDS看起来像这样:

this works as long as in settings.py AUTHENTICATION_BACKENDS looks like this:

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend',
    'django_auth_ldap.backend.LDAPBackend',
)

当我注释掉django_auth_ldap时，它不起作用.但是，如果我随后将psbkdf2哈希从最初安装的超级用户(用于调试的set set pw changeme)复制到我自己的auth_user表中的用户，则我可能使用密码"changeme"登录...

as soon as i comment out django_auth_ldap its not working. but if i then copy the pbkdf2 hash from initially installed superuser (ive set pw changeme for debugging) to my own user in auth_user table, i may log in with password "changeme"...

推荐答案

根据我在Django 1.6.1源代码中看到的内容，您不能将MD5PasswordHasher与空盐一起使用:

From what I can see in Django 1.6.1 source code you cannot use MD5PasswordHasher with an empty salt: https://github.com/django/django/blob/1.6.1/django/contrib/auth/hashers.py#L397.

但是有 UnsaltedMD5PasswordHasher 可能适合您.

您提到的答案写于4年前，当时Django 1.2占领了市场.我已经检查了它的密码哈希代码，并且那里没有任何断言，这就是为什么MD5哈希尔当时使用空盐的原因.

The answer you mentioned was written 4 years ago when Django 1.2 ruled the market. I've checked its password hashing code and it didn't have any assertions there, that's why MD5 hasher worked with empty salts back then.

这篇关于python django未盐分的md5密码哈希格式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！