当前位置: 文江博客话题详情

将 ASP.NET 会员用户迁移到 Django 而不重置密码?

发布于 2024-10-14 10:25:49 字数 464 浏览 7 评论 0原文

我有一个系统,部分是由其他人编写的,对于这样一个小应用程序来说,维护完全是一场噩梦。我终于得到了改变,这证明重写可怕的混乱是合理的,所以我将它转移到 Django。

在我尝试之前,我一直在尝试将密码哈希和盐移到 Django 身份验证表 [sha1]$[salt]$[hash] 中,但无法使其正确哈希(重置密码不是确实是一个选择)。

到目前为止,我已经发现了以下内容:

  • ASP.NET 将哈希存储为 Base64 字符串并使用 Base64 盐(在哈希之前)
  • 我显然可以将 Base64 哈希反转为字节数组
  • Django 使用十六进制摘要,我尝试过BitConverter.ToString 但它们的哈希值不同

我在这里打的是一场失败的战斗吗?在 Django 中编写一个像 ASP.NET 那样进行哈希处理的方法会更好吗?

任何帮助表示赞赏,

托马斯

原文

I've got a system that was partially written by someone else and is a complete maintenance nightmare for such a small app. I've finally been given changes which justifies just rewriting the horrible mess so I am moving it to Django.

Before I take the plunge, I've been trying to move over the password hash and salt into the Django auth tables [sha1]$[salt]$[hash] but can't get it to hash properly (resetting passwords isn't really an option).

Here is what I've been able to find out so far:

  • ASP.NET stores the hash as base64 string and uses a base64 salt (before hash)
  • I can obviously reverse the base64 hash to a byte array
  • Django uses a hexdigest, I tried BitConverter.ToString but they hash differently

Am I fighting a losing battle here? Would it be better to write a method in Django to hash as ASP.NET does?

Any help appreciated,

Thomas

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

月亮邮递员 2024-10-21 10:25:49

避免中间重置密码的唯一真正选择是:

  1. 编写一个哈希转换算法,将 Asp.Net 哈希转换为 hexdigest 哈希。祝你好运。如果你成功了,就写一篇关于它的论文。
  2. 重写 Django 哈希算法,使其哈希值与 Asp.Net 算法相同。这应该是最容易实现的,但在此过程中仍然会遇到陷阱和陷阱。

您还可以尝试对密码进行逆向工程,但如果您成功做到这一点,那么在我看来,哈希算法就毫无意义了。

The only real options you have here to avoid a password reset in the middle is to:

  1. Write a hash translation algorithm to transfer the Asp.Net hash into the hexdigest hash. Good luck with this one. If you pull it off, write a paper about it.
  2. Rewrite the Django hashing algorithm to hash identically to the Asp.Net algorithm. This one should be the easiest to pull off, but it's still going to have its traps and pitfalls in the process.

You could also attempt to reverse engineer the passwords, but if you're successful in doing that it sort of makes the hashing algorithm pointless IMO.

回复 原文
挽手叙旧 2024-10-21 10:25:49

使用以下 Django 密码哈希器创建一个新模块来处理 ASP.net (sha1) 密码:

import hashlib
import base64

from django.contrib.auth.hashers import (BasePasswordHasher, mask_hash)
from django.utils.datastructures import SortedDict
from django.utils.encoding import force_bytes
from django.utils.crypto import constant_time_compare
from django.utils.translation import ugettext_noop as _

def utf16tobin(s):
    return s.encode('hex')[4:].decode('hex')

class MSSHA1PasswordHasher(BasePasswordHasher):
    """
    ASP.NET hasher
    """
    algorithm = "mssha1"

    def encode(self, password, salt):
        assert password is not None
        assert salt and '

将模块名称添加到 PASSWORD_HASHERS 列表中的设置文件中(请参阅 https://docs.djangoproject.com/en/1.4/topics/auth/ 了解详细信息)。


将 ASP.net 盐和密码迁移到 Django 密码字段,如下所示:


user.password = "mssha1$" + old_membership.passwordsalt + "$" + old_membership.password



然后,用户可以使用现有的 ASP.net 密码登录到您的 Django 应用程序。一旦他们成功登录,Django将自动将他们的密码升级到最新的算法,例如PBKDF2。

 not in salt
        pwdenc = password.encode('utf16')
        pwdenc = utf16tobin(pwdenc)
        saltdecode = base64.b64decode(salt)
        m = hashlib.sha1()
        m.update(saltdecode)
        m.update(pwdenc)
        hash = base64.b64encode(m.digest())
        return "%s$%s$%s" % (self.algorithm, salt, hash)

    def verify(self, password, encoded):
        algorithm, salt, hash = encoded.split('

将模块名称添加到 PASSWORD_HASHERS 列表中的设置文件中(请参阅 https://docs.djangoproject.com/en/1.4/topics/auth/ 了解详细信息)。


将 ASP.net 盐和密码迁移到 Django 密码字段,如下所示:




然后,用户可以使用现有的 ASP.net 密码登录到您的 Django 应用程序。一旦他们成功登录,Django将自动将他们的密码升级到最新的算法,例如PBKDF2。

, 2)
        assert algorithm == self.algorithm
        encoded_2 = self.encode(password, salt)
        return constant_time_compare(encoded, encoded_2)

    def safe_summary(self, encoded):
        algorithm, salt, hash = encoded.split('

将模块名称添加到 PASSWORD_HASHERS 列表中的设置文件中(请参阅 https://docs.djangoproject.com/en/1.4/topics/auth/ 了解详细信息)。


将 ASP.net 盐和密码迁移到 Django 密码字段,如下所示:




然后,用户可以使用现有的 ASP.net 密码登录到您的 Django 应用程序。一旦他们成功登录,Django将自动将他们的密码升级到最新的算法,例如PBKDF2。

, 2)
        assert algorithm == self.algorithm
        return SortedDict([
            (_('algorithm'), algorithm),
            (_('salt'), mask_hash(salt, show=2)),
            (_('hash'), mask_hash(hash)),
            ])

将模块名称添加到 PASSWORD_HASHERS 列表中的设置文件中(请参阅 https://docs.djangoproject.com/en/1.4/topics/auth/ 了解详细信息)。
将 ASP.net 盐和密码迁移到 Django 密码字段,如下所示:
然后,用户可以使用现有的 ASP.net 密码登录到您的 Django 应用程序。一旦他们成功登录,Django将自动将他们的密码升级到最新的算法,例如PBKDF2。
Create a new module with the following Django password hasher to handle ASP.net (sha1) passwords:
import hashlib
import base64

from django.contrib.auth.hashers import (BasePasswordHasher, mask_hash)
from django.utils.datastructures import SortedDict
from django.utils.encoding import force_bytes
from django.utils.crypto import constant_time_compare
from django.utils.translation import ugettext_noop as _

def utf16tobin(s):
    return s.encode('hex')[4:].decode('hex')

class MSSHA1PasswordHasher(BasePasswordHasher):
    """
    ASP.NET hasher
    """
    algorithm = "mssha1"

    def encode(self, password, salt):
        assert password is not None
        assert salt and '

Add the module name to your settings file in the PASSWORD_HASHERS list (see https://docs.djangoproject.com/en/1.4/topics/auth/ for details).


Migrate the ASP.net salt and password into the Django password field like this:


user.password = "mssha1$" + old_membership.passwordsalt + "$" + old_membership.password



Users can then login to your Django app with their existing ASP.net passwords. Once they've logged in successfully, Django will automatically upgrade their passwords to the latest algorithm, e.g. PBKDF2.

 not in salt
        pwdenc = password.encode('utf16')
        pwdenc = utf16tobin(pwdenc)
        saltdecode = base64.b64decode(salt)
        m = hashlib.sha1()
        m.update(saltdecode)
        m.update(pwdenc)
        hash = base64.b64encode(m.digest())
        return "%s$%s$%s" % (self.algorithm, salt, hash)

    def verify(self, password, encoded):
        algorithm, salt, hash = encoded.split('

Add the module name to your settings file in the PASSWORD_HASHERS list (see https://docs.djangoproject.com/en/1.4/topics/auth/ for details).


Migrate the ASP.net salt and password into the Django password field like this:




Users can then login to your Django app with their existing ASP.net passwords. Once they've logged in successfully, Django will automatically upgrade their passwords to the latest algorithm, e.g. PBKDF2.

, 2)
        assert algorithm == self.algorithm
        encoded_2 = self.encode(password, salt)
        return constant_time_compare(encoded, encoded_2)

    def safe_summary(self, encoded):
        algorithm, salt, hash = encoded.split('

Add the module name to your settings file in the PASSWORD_HASHERS list (see https://docs.djangoproject.com/en/1.4/topics/auth/ for details).


Migrate the ASP.net salt and password into the Django password field like this:




Users can then login to your Django app with their existing ASP.net passwords. Once they've logged in successfully, Django will automatically upgrade their passwords to the latest algorithm, e.g. PBKDF2.

, 2)
        assert algorithm == self.algorithm
        return SortedDict([
            (_('algorithm'), algorithm),
            (_('salt'), mask_hash(salt, show=2)),
            (_('hash'), mask_hash(hash)),
            ])

Add the module name to your settings file in the PASSWORD_HASHERS list (see https://docs.djangoproject.com/en/1.4/topics/auth/ for details).
Migrate the ASP.net salt and password into the Django password field like this:
Users can then login to your Django app with their existing ASP.net passwords. Once they've logged in successfully, Django will automatically upgrade their passwords to the latest algorithm, e.g. PBKDF2.
 回复 原文 
~没有更多了~
关于作者
 无畏
暂无简介
0 文章
0 评论
24 人气
 发私信
相关话题
更多 
热门标签
操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多 
推荐作者
书间行客
文章 0 评论 0
我ぃ本無心為│何有愛
文章 0 评论 0
神妖
文章 0 评论 0
undefined
文章 0 评论 0
38169838
文章 0 评论 0
彡翼
文章 0 评论 0
更多 
友情链接
文江博客
       
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
     
    原文