Vincent Pirez wrote:
Hi,
Has anyone managed to code anything that will verify the username and
password of a user against the /etc/shadow file?
I need to authenticate users based on their local system accounts, but
unfortunately need to do this without recompiling PHP or Apache with custom
modules.
So far I've managed to pull all of the shadow password strings out and into
a database, but is there any way of 'matching' the encrypted strings if you
are given the plain text version, like with md5?
Thanks in advance,
Vince.
PHP has a function named 'crypt' that will encrypt strings in the same
way the password is encrypted into the password file. It takes a
password string and a salt string.
The encryption algorithm may vary but is typically either a two
character salt (CRYPT_STD_DES) or an MD5 salt (CRYPT_MD5). The MD5
encryptions are guaranteed to start with a '$' sign.
So, for example, let's say your shadow entry is:
web:$2$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.:13007:0:999 99:7:::
This is a MD5 encrypted password.
if( crypt($password, $salt) == '$2$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.')) {
// password is correct
}
Do you really want to pull all the shadow entries into a database? Why
not read the file directly and explode() the entries? It seems to me
that you will have synchronization issues the other way.
-david-