Get the original password during authorization about smblibrary HOT 7 CLOSED

You ask a very complex question and start with "Not a big question".
In modern authentication schemes, passwords are not transmitted to the server, the client usually sends a "proof" that it knows the password, but not the password itself. the server should have its own means to authenticate the proof sent by the client. in most modern implementations, the server itself does not have direct access to the password.
this is a huge topic that is outside the scope of the "issues" section of the library.

from smblibrary.

I plan to implement it through a database, so your built-in class of blocking requests will not help.

This sentence is likely to be incorrect, IndependentNTLMAuthenticationProvider can be used with a database.

from smblibrary.

I realize that from a security standpoint this is not the best way, however it is the most effective way to see if there are some not-so-good people trying to pick up the password and login to the server.

So far, at the moment the server is running an FTP server via the pyftpdlib library and the logging of authorization goes into a database. So: as soon as I bought a public IP, immediately some bot appeared, which every 5 seconds for several hours picking up passwords and logins (I can send a screenshot, but I think you already assume what it is).

If you still don't agree to make the password available, please suggest alternative ways to check such people.

from smblibrary.

This sentence is likely to be incorrect, IndependentNTLMAuthenticationProvider can be used with a database.

When I looked at your library code, I found a flood protection in it. This is what I call "protection", although it is only protection against too many requests.

from smblibrary.

If you still don't agree to make the password available, please suggest alternative ways to check such people.

I'm repeating again that passwords are not transmitted to the server, the library cannot provide what it does not have.

To limit a user from too many unsuccessfully login attempts you simply have to know the username and that the login attempt was unsuccessful. the library supports that as you can provide your own authentication mechanism (or use a proxy design pattern). (and you definitely do not need the password)

Please understand that I'm a volunteer with very little time, please do your homework and refrain from wasting my time.

from smblibrary.

I think I understand what you are trying to say.
The password is transmitted in encoded form (bytes) and, as I understand, it is impossible to decode it.

Am I understanding you correctly?

from smblibrary.

Your phrasing is a bit odd, but essentially yes. if you wish to understand it better I suggest you read up on cryptography and modern authentication schemes.

from smblibrary.