Linux System Users Login/Password?

Vincent Pirez wrote:

Hi,

Has anyone managed to code anything that will verify the username and
password of a user against the /etc/shadow file?

I need to authenticate users based on their local system accounts, but
unfortunately need to do this without recompiling PHP or Apache with custom
modules.

So far I've managed to pull all of the shadow password strings out and into
a database, but is there any way of 'matching' the encrypted strings if you
are given the plain text version, like with md5?

Thanks in advance,
Vince.

PHP has a function named 'crypt' that will encrypt strings in the same
way the password is encrypted into the password file. It takes a
password string and a salt string.

The encryption algorithm may vary but is typically either a two
character salt (CRYPT_STD_DES) or an MD5 salt (CRYPT_MD5). The MD5
encryptions are guaranteed to start with a '$' sign.

So, for example, let's say your shadow entry is:
web:$2$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.:13007:0:999 99:7:::

This is a MD5 encrypted password.

if( crypt($password, $salt) == '$2$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.')) {
// password is correct
}

Do you really want to pull all the shadow entries into a database? Why
not read the file directly and explode() the entries? It seems to me
that you will have synchronization issues the other way.

-david-

"David Haynes" <da***********@sympatico.ca> wrote in message
news:2h*******************@fe06.usenetserver.com.. .

PHP has a function named 'crypt' that will encrypt strings in the same way
the password is encrypted into the password file. It takes a password
string and a salt string.

The encryption algorithm may vary but is typically either a two character
salt (CRYPT_STD_DES) or an MD5 salt (CRYPT_MD5). The MD5 encryptions are
guaranteed to start with a '$' sign.

So, for example, let's say your shadow entry is:
web:$2$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.:13007:0:999 99:7:::

This is a MD5 encrypted password.

if( crypt($password, $salt) == '$2$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.')) {
// password is correct
}

Do you really want to pull all the shadow entries into a database? Why not
read the file directly and explode() the entries? It seems to me that you
will have synchronization issues the other way.

-david-

Hi David,

Thanks for the great response. But how do I determine the matching salt?

Thanks,
Vince.

Vincent Pirez wrote:

"David Haynes" <da***********@sympatico.ca> wrote in message
news:2h*******************@fe06.usenetserver.com.. .

PHP has a function named 'crypt' that will encrypt strings in the same way
the password is encrypted into the password file. It takes a password
string and a salt string.

The encryption algorithm may vary but is typically either a two character
salt (CRYPT_STD_DES) or an MD5 salt (CRYPT_MD5). The MD5 encryptions are
guaranteed to start with a '$' sign.

So, for example, let's say your shadow entry is:
web:$2$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.:13007:0:999 99:7:::

This is a MD5 encrypted password.

if( crypt($password, $salt) == '$2$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.')) {
// password is correct
}

Do you really want to pull all the shadow entries into a database? Why not
read the file directly and explode() the entries? It seems to me that you
will have synchronization issues the other way.

-david-

Hi David,

Thanks for the great response. But how do I determine the matching salt?

Thanks,
Vince.

The short answer is that the salt of the encrypted password in the
shadow file is used.

A sample program:
<?php
$shadow_pw = '$1$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.';
$my_pw = array('foofoofoo', 'letmein');

foreach( $my_pw as $pw ) {
if( crypt($pw, $shadow_pw) == $shadow_pw ) {
echo "The password $pw is good\n");
} else {
echo "The password $pw is bad\n");
}
}
?>

-david-

"David Haynes" <da***********@sympatico.ca> wrote in message
news:gY******************@fe46.usenetserver.com...

The short answer is that the salt of the encrypted password in the shadow
file is used.

A sample program:
<?php
$shadow_pw = '$1$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.';
$my_pw = array('foofoofoo', 'letmein');

foreach( $my_pw as $pw ) {
if( crypt($pw, $shadow_pw) == $shadow_pw ) {
echo "The password $pw is good\n");
} else {
echo "The password $pw is bad\n");
}
}
?>

David,

Ahhh i get it now, by crypt()'ing the password against the shadow password
it somehow verifies.....I'm curious how this works, but don't need an
explanation unless anyone's willing to offer one?

Fact of the matter is it works, and is verifying nicely - many thanks for
your help David :)

Vince.

Vincent Pirez wrote:

David,

Ahhh i get it now, by crypt()'ing the password against the shadow password
it somehow verifies.....I'm curious how this works, but don't need an
explanation unless anyone's willing to offer one?
The first 'n' characters of any encrypted password is the salt used to
create the password. By supplying an encrypted password as the salt, you
are essentially providing the salt.
Fact of the matter is it works, and is verifying nicely - many thanks for
your help David :)

Cool! Glad its working out for you.

-david-