3
0
mirror of https://github.com/jlu5/PyLink.git synced 2025-01-14 06:02:37 +01:00

More secure password hashing defaults

(cherry picked from commit eba5d91299)

  Default hash method to pbkdf2-sha256 & allow customizing CryptContext options

  This introduces a new login::cryptcontext_settings config option.

  Closes #645.
This commit is contained in:
James Lu 2019-06-07 14:10:42 -07:00
parent c7e4c05cbd
commit 6054476900
3 changed files with 35 additions and 12 deletions

View File

@ -9,7 +9,7 @@ import atexit
from pylinkirc import world, utils, conf # Do not import classes, it'll import loop from pylinkirc import world, utils, conf # Do not import classes, it'll import loop
from pylinkirc.log import log, _make_file_logger, _stop_file_loggers, _get_console_log_level from pylinkirc.log import log, _make_file_logger, _stop_file_loggers, _get_console_log_level
from . import permissions from . import permissions, login
def remove_network(ircobj): def remove_network(ircobj):
"""Removes a network object from the pool.""" """Removes a network object from the pool."""
@ -104,6 +104,7 @@ def rehash():
log.debug('rehash: updating console log level') log.debug('rehash: updating console log level')
world.console_handler.setLevel(_get_console_log_level()) world.console_handler.setLevel(_get_console_log_level())
login._make_cryptcontext() # refresh password hashing settings
for network, ircobj in world.networkobjects.copy().items(): for network, ircobj in world.networkobjects.copy().items():
# Server was removed from the config file, disconnect them. # Server was removed from the config file, disconnect them.

View File

@ -5,18 +5,30 @@ login.py - Implement core login abstraction.
from pylinkirc import conf, utils, world from pylinkirc import conf, utils, world
from pylinkirc.log import log from pylinkirc.log import log
# PyLink's global password context
pwd_context = None
_DEFAULT_CRYPTCONTEXT_SETTINGS = {
'schemes': ["pbkdf2_sha256", "sha512_crypt"]
}
def _make_cryptcontext():
try: try:
from passlib.context import CryptContext from passlib.context import CryptContext
except ImportError: except ImportError:
CryptContext = None
log.warning("Hashed passwords are disabled because passlib is not installed. Please install " log.warning("Hashed passwords are disabled because passlib is not installed. Please install "
"it (pip3 install passlib) and restart for this feature to work.") "it (pip3 install passlib) and rehash for this feature to work.")
return
pwd_context = None context_settings = conf.conf.get('login', {}).get('cryptcontext_settings') or _DEFAULT_CRYPTCONTEXT_SETTINGS
if CryptContext: global pwd_context
pwd_context = CryptContext(["sha512_crypt", "sha256_crypt"], if pwd_context is None:
sha256_crypt__default_rounds=180000, log.debug("Initialized new CryptContext with settings: %s", context_settings)
sha512_crypt__default_rounds=90000) pwd_context = CryptContext(**context_settings)
else:
log.debug("Updated CryptContext with settings: %s", context_settings)
pwd_context.update(**context_settings)
_make_cryptcontext() # This runs at startup and in rehash (control.py)
def _get_account(accountname): def _get_account(accountname):
""" """

View File

@ -117,6 +117,16 @@ login:
# are supported here as well. # are supported here as well.
#hosts: ["*!*@localhost", "*!*@trusted.isp"] #hosts: ["*!*@localhost", "*!*@trusted.isp"]
# For ADVANCED users: adjusts settings for PyLink's default passlib CryptContext.
# As of PyLink 2.1, the default is to use pbkdf2_sha256 for new hashes, while also allowing verifying
# sha512_crypt for compatibility with PyLink < 2.1.
# This is configured as a dict of settings, which will be passed into the CryptContext constructor.
# See https://passlib.readthedocs.io/en/stable/lib/passlib.context.html for a list of valid options.
# Changes to this setting require a rehash to apply.
#cryptcontext_settings:
#schemes: ["pbkdf2_sha256", "sha512_crypt"]
permissions: permissions:
# Permissions blocks in PyLink are define as a mapping of PyLink targets (i.e. hostmasks or # Permissions blocks in PyLink are define as a mapping of PyLink targets (i.e. hostmasks or
# exttargets) to lists of permission nodes. You can find a list of permissions that PyLink and # exttargets) to lists of permission nodes. You can find a list of permissions that PyLink and