问题
I am migrating a site from Drupal 7 to Django 1.4, including the current users. How can I work with the passwords that were hashed by Drupal?
According to this, Drupal 7 hashes passwords using SHA-512 (they are stored in the form of a string starting with "$S$").
Django 1.4 now contains a number of options for storing passwords, with a default of SHA-256, but I can't find an option for SHA-512. While this app appears to allow the use of SHA2 algorithms, I'm not sure it's compatible with Django 1.4 (as 1.4 has a flexible password hasher).
What is the simplest way to do this?
ETA: I've built a password hasher that mimics Drupal's algorithm and makes migration easy. Since I've already accepted an answer, I won't unaccept, but for anyone who wants to do Drupal to Django migration in the future, the code is stored on Django snippets and as a GitHub gist.
回答1:
I don't know Drupal very well, but I suppose that the passwords are stored hashed. If that's the case, you'll have to copy the passwords (I mean, copy them unchanged) and you'll have to change the way Django hashes its passwords, using the exactly same way of Drupal, with the same Security Salt.
I really don't know how to do that, but the logic for passwords is contained in the User object. For example. the User.set_password() function (described here) uses the make_password function.
I think with a little research you'll find the way to change it, but the important thing is, remember that the functions must be equals! ie:
drupal_hash(x) == django_hash(x) for every x in the allowed passwords set.
EDIT:
Taking a deeper look django get the has function with the get_hasher function. Now in the 1.4 version there's a way to specify how Django will select that function. Take a look at this: https://docs.djangoproject.com/en/dev/topics/auth/#how-django-stores-passwords
Finally, in order to create your own function, you can take a look at how it's done on the MD5PasswordHasher. It seems really simple. You can use the hashlib python library to generate sha-512 algorithms.
Changing the encode method would require somthing similar to:
def encode(self, password, salt):
assert password
assert salt and '$' not in salt
hash = hashlib.sha512(salt + password).hexdigest()
return "%s$%s$%s" % (self.algorithm, salt, hash)
回答2:
Thank you, David Robinson, for your code. That made my day! It seems to have a flaw, though: If Drupal decided to not use 'C' but 'D' for the number of iterations, it fails. I fixed the class definition slightly:
class DrupalPasswordHasher(BasePasswordHasher):
algorithm = "S"
iter_code = 'C'
salt_length = 8
def encode(self, password, salt, iter_code=None):
"""The Drupal 7 method of encoding passwords"""
if iter_code == None:
iterations = 2 ** _ITOA64.index(self.iter_code)
else:
iterations = 2 ** _ITOA64.index(iter_code)
hash = hashlib.sha512(salt + password).digest()
for i in range(iterations):
hash = hashlib.sha512(hash + password).digest()
l = len(hash)
output = ''
i = 0
while i < l:
value = ord(hash[i])
i = i + 1
output += _ITOA64[value & 0x3f]
if i < l:
value |= ord(hash[i]) << 8
output += _ITOA64[(value >> 6) & 0x3f]
if i >= l:
break
i += 1
if i < l:
value |= ord(hash[i]) << 16
output += _ITOA64[(value >> 12) & 0x3f]
if i >= l:
break
i += 1
output += _ITOA64[(value >> 18) & 0x3f]
longhashed = "%s$%s%s%s" % (self.algorithm, iter_code,
salt, output)
return longhashed[:54]
def verify(self, password, encoded):
hash = encoded.split("$")[1]
iter_code = hash[0]
salt = hash[1:1 + self.salt_length]
return encoded == self.encode(password, salt, iter_code)
回答3:
You should be able to implement this by creating your own subclass of BasePasswordHasher, and adding it to your PASSWORD_HASHERS setting.
Python's hashlib implements sha512.
The page David linked to in the question explains how the number of iterations (16385 for Drupal 7) is encoded in the hash, but it's not clear to me how to get the salt.
Edit: In the comment to @santiago's answer, David says the "the salt is the 5th character through the 12th in the stored Drupal string".
回答4:
Here's an update to David's excellent answer for python 3, since hashlib no longer accepts strings. Also, this includes support for the odd "U$S$*" hashes, which apparently are from an update and I found a bunch of them in my drupal database.
https://gist.github.com/skulegirl/bec420b5272b87d9e4dbd39e947062fc
And as a bonus, here's the code that I used to import my xml file of user data in. (I just created the xml file via an sql export after doing a query on the users table.)
import xml.etree.ElementTree as ET
from django.contrib.auth.models import User
tree = ET.parse('/PATH/TO/Users.xml')
root = tree.getroot()
for row in root:
user_dict = {}
for field in row:
user_dict[field.attrib['name']] = field.text
user = User.objects.create_user(user_dict['name'], user_dict['mail'])
if user_dict['pass'][0] == '$':
user_dict['pass'] = user_dict['pass'][1:]
user.password = user_dict['pass']
user.save()
来源:https://stackoverflow.com/questions/9876700/migrate-passwords-from-drupal-7-to-django