More secure password hashing defaults

(cherry picked from commit eba5d91299)

  Default hash method to pbkdf2-sha256 & allow customizing CryptContext options

  This introduces a new login::cryptcontext_settings config option.

  Closes #645.

coremods/control.py

@@ -9,7 +9,7 @@ import atexit
 
 from pylinkirc import world, utils, conf  # Do not import classes, it'll import loop
 from pylinkirc.log import log, _make_file_logger, _stop_file_loggers, _get_console_log_level
-from . import permissions
+from . import permissions, login
 
 def remove_network(ircobj):
     """Removes a network object from the pool."""
@@ -104,6 +104,7 @@ def rehash():
 
     log.debug('rehash: updating console log level')
     world.console_handler.setLevel(_get_console_log_level())
+    login._make_cryptcontext()  # refresh password hashing settings
 
     for network, ircobj in world.networkobjects.copy().items():
         # Server was removed from the config file, disconnect them.

coremods/login.py

@@ -5,18 +5,30 @@ login.py - Implement core login abstraction.
 from pylinkirc import conf, utils, world
 from pylinkirc.log import log
 
-try:
+# PyLink's global password context
-    from passlib.context import CryptContext
-except ImportError:
-    CryptContext = None
-    log.warning("Hashed passwords are disabled because passlib is not installed. Please install "
-                "it (pip3 install passlib) and restart for this feature to work.")
-
 pwd_context = None
-if CryptContext:
+
-    pwd_context = CryptContext(["sha512_crypt", "sha256_crypt"],
+_DEFAULT_CRYPTCONTEXT_SETTINGS = {
-                               sha256_crypt__default_rounds=180000,
+    'schemes': ["pbkdf2_sha256", "sha512_crypt"]
-                               sha512_crypt__default_rounds=90000)
+}
+def _make_cryptcontext():
+    try:
+        from passlib.context import CryptContext
+    except ImportError:
+        log.warning("Hashed passwords are disabled because passlib is not installed. Please install "
+                    "it (pip3 install passlib) and rehash for this feature to work.")
+        return
+
+    context_settings = conf.conf.get('login', {}).get('cryptcontext_settings') or _DEFAULT_CRYPTCONTEXT_SETTINGS
+    global pwd_context
+    if pwd_context is None:
+        log.debug("Initialized new CryptContext with settings: %s", context_settings)
+        pwd_context = CryptContext(**context_settings)
+    else:
+        log.debug("Updated CryptContext with settings: %s", context_settings)
+        pwd_context.update(**context_settings)
+
+_make_cryptcontext()  # This runs at startup and in rehash (control.py)
 
 def _get_account(accountname):
     """

example-conf.yml

@@ -117,6 +117,16 @@ login:
             # are supported here as well.
             #hosts: ["*!*@localhost", "*!*@trusted.isp"]
 
+    # For ADVANCED users: adjusts settings for PyLink's default passlib CryptContext.
+    # As of PyLink 2.1, the default is to use pbkdf2_sha256 for new hashes, while also allowing verifying
+    # sha512_crypt for compatibility with PyLink < 2.1.
+
+    # This is configured as a dict of settings, which will be passed into the CryptContext constructor.
+    # See https://passlib.readthedocs.io/en/stable/lib/passlib.context.html for a list of valid options.
+    # Changes to this setting require a rehash to apply.
+    #cryptcontext_settings:
+        #schemes: ["pbkdf2_sha256", "sha512_crypt"]
+
 permissions:
     # Permissions blocks in PyLink are define as a mapping of PyLink targets (i.e. hostmasks or
     # exttargets) to lists of permission nodes. You can find a list of permissions that PyLink and