passlib.hash.unix_disabled - Unix Disabled Account Helper

This class does not provide an encryption scheme, but instead provides a helper for handling disabled password fields as found in unix /etc/shadow files. This class is mainly useful only for plugging into a CryptContext instance. It can be used directly as follows:

>>> from passlib.hash import unix_disabled

>>> # 'hashing' a password always results in "!" or "*"
>>> unix_disabled.hash("password")
'!'

>>> # verifying will fail for all passwords and hashes
>>> unix_disabled.verify("password", "!")
False
>>> unix_disabled.verify("letmein", "*NOPASSWORD*")
False

>>> # this class should identify all strings which aren't
>>> # valid Unix crypt() output, while leaving MCF hashes alone
>>> unix_disabled.identify('!')
True
>>> unix_disabled.identify('')
True
>>> unix_disabled.identify("$1$somehash")
False

Interface

class passlib.hash.unix_disabled

This class provides disabled password behavior for unix shadow files, and follows the PasswordHash API.

This class does not implement a hash, but instead matches the “disabled account” strings found in /etc/shadow on most Unix variants. “encrypting” a password will simply return the disabled account marker. It will reject all passwords, no matter the hash string. The hash() method supports one optional keyword:

Parameters:

marker (str) –

Optional marker string which overrides the platform default used to indicate a disabled account.

If not specified, this will default to "*" on BSD systems, and use the Linux default "!" for all other platforms. (unix_disabled.default_marker will contain the default value)

Added in version 1.6: This class was added as a replacement for the now-removed unix_fallback class.

Deviations

According to the Linux shadow man page, an empty string is treated as a wildcard by Linux, allowing all passwords. For security purposes, this behavior is NOT supported; empty strings are treated the same as ! or *.