[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] PEP 594: Removing dead batteries from the standard library

On 5/20/2019 6:06 PM, Christian Heimes wrote:

>> Removing the crypt module would remove support for system-standard
>> password files.  I don't understand the rationale.
> Applications *must* not access system-standard password files directly. On any sanely and securely configured systems, application cannot even access system password files like /etc/shadow. Access restrictions and system security policies will prevent read access. Also applications cannot assume that users are present in any user file. They may come from LDAP, SSSD, ActiveDirectory, or other sources.
> The correct way to interact with system users is to use the proper APIs, that are NSS (name service switch) and PAM (pluggable authentication modules). NSS looks up and enumerate users and groups. PAM performs password validation and much, much, much more. The pwd and grp modules use the correct APIs to interact with NSS. If you need to check or change passwords, you must go through PAM.

Add this to the PEP?  It might suggest that crypt should go away sooner.

Terry Jan Reedy