Linux System Users Login/Password?

Re: Linux System Users Login/Password?

Vincent Pirez wrote:[color=blue]
> Hi,
>
> Has anyone managed to code anything that will verify the username and
> password of a user against the /etc/shadow file?
>
> I need to authenticate users based on their local system accounts, but
> unfortunately need to do this without recompiling PHP or Apache with custom
> modules.
>
> So far I've managed to pull all of the shadow password strings out and into
> a database, but is there any way of 'matching' the encrypted strings if you
> are given the plain text version, like with md5?
>
> Thanks in advance,
> Vince.
>
>[/color]
PHP has a function named 'crypt' that will encrypt strings in the same
way the password is encrypted into the password file. It takes a
password string and a salt string.

The encryption algorithm may vary but is typically either a two
character salt (CRYPT_STD_DES) or an MD5 salt (CRYPT_MD5). The MD5
encryptions are guaranteed to start with a '$' sign.

So, for example, let's say your shadow entry is:
web:$2$Hlpmlp9i $5VnapGyOuIzJFk PcrvE7a.:13007: 0:99999:7:::

This is a MD5 encrypted password.

if( crypt($password , $salt) == '$2$Hlpmlp9i$5V napGyOuIzJFkPcr vE7a.')) {
// password is correct
}

Do you really want to pull all the shadow entries into a database? Why
not read the file directly and explode() the entries? It seems to me
that you will have synchronization issues the other way.

-david-

Re: Linux System Users Login/Password?


"David Haynes" <david.haynes2@ sympatico.ca> wrote in message
news:2hwjg.2813 9$IQ3.12051@fe0 6.usenetserver. com...[color=blue]
> PHP has a function named 'crypt' that will encrypt strings in the same way
> the password is encrypted into the password file. It takes a password
> string and a salt string.
>
> The encryption algorithm may vary but is typically either a two character
> salt (CRYPT_STD_DES) or an MD5 salt (CRYPT_MD5). The MD5 encryptions are
> guaranteed to start with a '$' sign.
>
> So, for example, let's say your shadow entry is:
> web:$2$Hlpmlp9i $5VnapGyOuIzJFk PcrvE7a.:13007: 0:99999:7:::
>
> This is a MD5 encrypted password.
>
> if( crypt($password , $salt) == '$2$Hlpmlp9i$5V napGyOuIzJFkPcr vE7a.')) {
> // password is correct
> }
>
> Do you really want to pull all the shadow entries into a database? Why not
> read the file directly and explode() the entries? It seems to me that you
> will have synchronization issues the other way.
>
> -david-[/color]

Hi David,

Thanks for the great response. But how do I determine the matching salt?

Thanks,
Vince.

Re: Linux System Users Login/Password?

Vincent Pirez wrote:[color=blue]
> "David Haynes" <david.haynes2@ sympatico.ca> wrote in message
> news:2hwjg.2813 9$IQ3.12051@fe0 6.usenetserver. com...[color=green]
>> PHP has a function named 'crypt' that will encrypt strings in the same way
>> the password is encrypted into the password file. It takes a password
>> string and a salt string.
>>
>> The encryption algorithm may vary but is typically either a two character
>> salt (CRYPT_STD_DES) or an MD5 salt (CRYPT_MD5). The MD5 encryptions are
>> guaranteed to start with a '$' sign.
>>
>> So, for example, let's say your shadow entry is:
>> web:$2$Hlpmlp9i $5VnapGyOuIzJFk PcrvE7a.:13007: 0:99999:7:::
>>
>> This is a MD5 encrypted password.
>>
>> if( crypt($password , $salt) == '$2$Hlpmlp9i$5V napGyOuIzJFkPcr vE7a.')) {
>> // password is correct
>> }
>>
>> Do you really want to pull all the shadow entries into a database? Why not
>> read the file directly and explode() the entries? It seems to me that you
>> will have synchronization issues the other way.
>>
>> -david-[/color]
>
> Hi David,
>
> Thanks for the great response. But how do I determine the matching salt?
>
> Thanks,
> Vince.
>
>[/color]
The short answer is that the salt of the encrypted password in the
shadow file is used.

A sample program:
<?php
$shadow_pw = '$1$Hlpmlp9i$5V napGyOuIzJFkPcr vE7a.';
$my_pw = array('foofoofo o', 'letmein');

foreach( $my_pw as $pw ) {
if( crypt($pw, $shadow_pw) == $shadow_pw ) {
echo "The password $pw is good\n");
} else {
echo "The password $pw is bad\n");
}
}
?>

-david-

Re: Linux System Users Login/Password?


"David Haynes" <david.haynes2@ sympatico.ca> wrote in message
news:gYDjg.2645 3$CX3.5813@fe46 .usenetserver.c om...[color=blue][color=green]
>>[/color]
> The short answer is that the salt of the encrypted password in the shadow
> file is used.
>
> A sample program:
> <?php
> $shadow_pw = '$1$Hlpmlp9i$5V napGyOuIzJFkPcr vE7a.';
> $my_pw = array('foofoofo o', 'letmein');
>
> foreach( $my_pw as $pw ) {
> if( crypt($pw, $shadow_pw) == $shadow_pw ) {
> echo "The password $pw is good\n");
> } else {
> echo "The password $pw is bad\n");
> }
> }
> ?>[/color]

David,

Ahhh i get it now, by crypt()'ing the password against the shadow password
it somehow verifies.....I' m curious how this works, but don't need an
explanation unless anyone's willing to offer one?

Fact of the matter is it works, and is verifying nicely - many thanks for
your help David :)

Vince.

Re: Linux System Users Login/Password?

Vincent Pirez wrote:[color=blue]
> David,
>
> Ahhh i get it now, by crypt()'ing the password against the shadow password
> it somehow verifies.....I' m curious how this works, but don't need an
> explanation unless anyone's willing to offer one?[/color]

The first 'n' characters of any encrypted password is the salt used to
create the password. By supplying an encrypted password as the salt, you
are essentially providing the salt.[color=blue]
>
> Fact of the matter is it works, and is verifying nicely - many thanks for
> your help David :)[/color]

Cool! Glad its working out for you.

-david-