IANARP (I am not a ruby programmer), but: If you look in django.contrib.auth.models.get_hexdigest() (about line 18), you will see that django forms the digest on the sequence of the salt, followed by the password the user types (raw_password).
Judging from the apperance of "self.encrypt(pass+salt)", below, ruby was calculating the digest on the raw password followed by the salt. These are going to give different answers, even if the salt, raw password, and sha1 algorithms are the same. (I expect the sha1s to be the same, returning 40 hexidecimal digits as a string, though the letters could be upper case in one and lower case in the other.) The easiest approach, if you can't demand that the users do a password reset, would be to make yourself a custom version of that file where get_hexdigest() accepts an additional encoding type, say 'rubysha1', for which is combines the raw password and salt in the ruby order (and possibly applies upper() or lower() to the result, if necessary). On Thu, Dec 3, 2009 at 12:10 PM, Dave <[email protected]> wrote: > Thanks, I didn't realize there was another wrinkle in this problem. I > thought all SHA1 was the same. > > I'm not sure if I have access to the code -- the site was a Ruby on > Rails site before. I followed a tutorial (http://www.aidanf.net/ > rails_user_authentication_tutorial) to create the authentication > system. Here are some relevant (I think?) code snippets (from the user > model): > > require 'digest/sha1' > > def password=(pass) > �...@password=pass > self.salt = User.random_string(10) if !self.salt? > self.hashed_password = User.encrypt(@password, self.salt) > end > > def self.encrypt(pass, salt) > Digest::SHA1.hexdigest(pass+salt) > end > > def self.authenticate(login, pass) > u=find(:first, :conditions=>["login = ?", login]) > return nil if u.nil? > return u if User.encrypt(pass, u.salt)==u.hashed_password > nil > end > > If I wanted to recreate that system in django to replace the sha1$ > part of the password field, would I basically need to port this code > to django? > > Thanks again for your help! > > > > On Dec 3, 8:06 am, Bill Freeman <[email protected]> wrote: >> Do you have access to the password checking code for the source system? >> It's fine to say that you have an SHA1 hash, but even if that's true, there >> are many choices for how to represent the digest, and how to apply the >> salt. >> >> If you have access to the code, you might insert print statements to see >> what various intermediate values you see. If it's just a case of >> representing >> the hash (or salt) as an integer versus a hexadecimal string, for example, >> then you have a prayer of converting. But if one applies the salt to the >> beginning of the message, and the other to the end, or to both, or embeds >> it, or one squashes the password to radix 50 or some such and the other >> doesn't, or a number of other possibilities, you are out of luck making it >> work with the default auth framework. >> >> You could implement an additional password type in Django, using the old >> site's algorithm, and calling it something other than sha1 (the key before >> the first '$'). >> >> >> >> On Wed, Dec 2, 2009 at 7:18 PM, Dave <[email protected]> wrote: >> > I have a website with about 90 users that I'm trying to import into >> > Django. Right now, the users have a password with a salt and a hash, >> > so I tried (with a sample user) to format the password how Django >> > likes them. I did sha1$salt$hash and I wasn't able to log into admin >> > with that user (I made that user a superuser, staff, and active). I'm >> > using Django's auth authentication system. Has anyone run into this >> > before? Do I have to do something else to get this to work? >> >> > Thanks in advance! >> >> > -- >> >> > You received this message because you are subscribed to the Google Groups >> > "Django users" group. >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group >> > athttp://groups.google.com/group/django-users?hl=en. > > -- > > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
