I am using twisted's Perspective Broker for a network application. I encountered the problem that it automatically uses an MD5 challenge-response scheme for authentication. Ideally I would prefer not to store MD5 hashes on the server-side due to a number of security vulnerabilities. Alternatively, scrypt, bcrypt or pbkdf2 provide more secure algorithms.
However, while these algorithms are readily available in python, I don't quite see, whether it is possible to implement a custom authentication scheme using the Perspective Broker. Judging from the source, it looks like MD5 is very tightly integrated within the system.
So my question goes to more experienced twisted users: is there a way to use a custom authentication scheme without having to rewrite the whole thing?
(Also, please correct me, if any of my assumptions about twisted or cryptography are wrong. I am quite new to both.)
All you need to do in order to implement a custom authentication scheme for Perspective Broker is to implement a set of method calls on a root object which, after completion, provide access to your desired application-level object.
You won't be able to re-use PB's built-in
login
method and its accompanying wire-protocol messages, but that's fine; that's the thing you intend to replace anyway :).Note that when you construct a
PBServerFactory
, you provide a root object. If you want to call methods on that object, rather than performing a "standard" PB login and calling methods on the returned avatar (i.e. per-user / per-connection object), callgetRootObject
on the PB client factory and usecallRemote
on the result.