Lawrence D'Oliveiro
2024-06-19 07:36:20 UTC
I am writing code to validate entered user passwords against hashes
served up from /etc/shadow via LDAP. I had previously used passlib
<https://passlib.readthedocs.io> to do the hashing. But now I discover
it is not keeping up; for example, Debian and other distros are now
using yescrypt (hashes with “$y$” prefix), but passlib has no support
for that.
However, one language that does seem able to keep up to date is Perl.
So here’s my current password validation function:
def validate_password(password, hash) :
"hashes password using the algorithm and salt prefix from hash, and" \
" returns whether the result matches hash."
outhash = subprocess.check_output \
(
args = ("perl", "-e", "print crypt($ENV{\"PW\"}, $ENV{\"HASH\"});"),
env = {"PW" : password, "HASH" : hash},
text = True
).strip()
return \
outhash == hash
#end validate_password
served up from /etc/shadow via LDAP. I had previously used passlib
<https://passlib.readthedocs.io> to do the hashing. But now I discover
it is not keeping up; for example, Debian and other distros are now
using yescrypt (hashes with “$y$” prefix), but passlib has no support
for that.
However, one language that does seem able to keep up to date is Perl.
So here’s my current password validation function:
def validate_password(password, hash) :
"hashes password using the algorithm and salt prefix from hash, and" \
" returns whether the result matches hash."
outhash = subprocess.check_output \
(
args = ("perl", "-e", "print crypt($ENV{\"PW\"}, $ENV{\"HASH\"});"),
env = {"PW" : password, "HASH" : hash},
text = True
).strip()
return \
outhash == hash
#end validate_password