hi
i created a login page that authenticate the user and his/her password
to the unix ssystem. what modules can i used to compare the unix
password with what the user typed in the cgi form? the password is
encrypted (shadowed) so i need to
decrypt it first before comparing to what the user typed. or this
cannot be done at all?
thanks 4 3472
complicated issue. There is lots of authentication sub system that may
be in use(PAM, LDAP, Kerberos, /etc/shadow etc.). Each has a different
way. If it is linux, I think you should shoot for PAM, for other unix
system I have no idea.
/etc/passwd is a one way hash, you need the user submit the plain text
equivalent(bett er use SSL) then compute and compare.
However, if this is web page, I believe it would be better to use the
apache2 module which has relatively good integration with the
authentication system. ei***********@y ahoo.com wrote: hi i created a login page that authenticate the user and his/her password to the unix ssystem. what modules can i used to compare the unix password with what the user typed in the cgi form? the password is encrypted (shadowed) so i need to decrypt it first before comparing to what the user typed. or this cannot be done at all? thanks ei***********@y ahoo.com writes: i created a login page that authenticate the user and his/her password to the unix ssystem. what modules can i used to compare the unix password with what the user typed in the cgi form? the password is encrypted (shadowed) so i need to decrypt it first before comparing to what the user typed. or this cannot be done at all?
As has already been pointed out, users authenticate to Unix systems
with a lot more than passwords.
Also, it's not a good idea to make a web page use a system
password. Web page passwords tend to be poorly protected.
Finally, you can't decrypt a Unix password file password. The
algorithm is to encrypt what the user typed (with crypt.crypt) then
compare that with the entry in the password file. You pass crypt.crypt
the user-entered pasword as the first argument, and the password from
the password file as the second, and compare the returned value to the
password from the password file.
<mike
--
Mike Meyer <mw*@mired.or g> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. ei***********@y ahoo.com wrote: hi i created a login page that authenticate the user and his/her password to the unix ssystem. what modules can i used to compare the unix password with what the user typed in the cgi form? the password is encrypted (shadowed) so i need to
That's not the same thing. Unix passwords are always hashed (encrypted
if you like), but shadowing means that the hashed password isn't visible
in the /etc/passwd file (this file is readable to anyone logged into the
system) but stored in a shadow file which is only available to
administrators.
decrypt it first before comparing to what the user typed. or this cannot be done at all?
No. This is done with a one-way encryption algorithm, it shouldn't
be possible to decrypt the password hashes without a time consuming
brute force attack. That's not how the authentication works.
What you should do is to encrypt the user supplied password with the
same algorithm and salt as the Unix system uses, and compare the
hashes.
Another option is to simply run some program that tries to log in
the user on the unix box and see if that goes well.
If you really use shadow passwords, and can't run as root on the
system, manual comparision with the password hash is not an option.
For another alternative, see http://aspn.activestate.com/ASPN/Coo.../Recipe/203610
If POP won't help you, I'm sure you might think of similar approaches,
telnetlib or ftplib might prove helpful. ei***********@y ahoo.com wrote: i created a login page that authenticate the user and his/her password to the unix ssystem. what modules can i used to compare the unix password with what the user typed in the cgi form? the password is encrypted (shadowed) so i need to decrypt it first before comparing to what the user typed.
encrypted != shadowed. unix passwords are always encrypted, and
cannot be decrypted (at least not easily).
to check a password, encrypt the given password using the same salt,
and check if you get the same result. see the second example on this
page for an example: http://effbot.org/librarybook/crypt.htm
if the password is shadowed, you need the right privileges, and the spwd
module: http://www.python.org/dev/doc/devel/...dule-spwd.html
this is only available in development versions. to use it with an older
version, you have to built it yourself. the source code is here: http://svn.python.org/view/python/tr...s/spwdmodule.c
</F> This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: mrbog |
last post by:
Tell me if my assertion is wrong here:
The only way to prevent session hijacking is to NEVER store
authentication information (such as name/password) in the session.
Well, to never authenticate a user from information you got from the
session. Each secure app on a site must challenge the user for name
and password, each and every time the user accesses it (not just once
and then store it in the session). If a secure app is multi-page,...
|
by: netsurfer |
last post by:
hi..I'm working on a project that requires files to be password
protected on a UNIX based site. The people that own the web site want
to be able to change the password every so often. Unfortunately, I
have restricted access only to FTP so I really can't log in to any kind
of Administrative Console or Admin Panel and see if there are folders
that can be password protected and then have passwords changed on them.
The people I'm contracted...
|
by: jrefactors |
last post by:
I want to ask how password is stored and how to check the
authentication?
I have heard password is never encrypted and decrypted, but it is
hashed.
For example, consider a simple email logon authentication in a hash
table:
Key: my email address
Value: hash_function(my plan text password)
|
by: bb |
last post by:
I have a requirement to create and store in our database the users
password in a couple of additional hashes (we currently store an MD5
hash)
the spec is pretty brief...
Spec:
Store the NT Hash and Unix Crypt of password when a user
creates/modifies password
End.
|
by: Sri |
last post by:
Hi
I am trying to match a user password provided by a user on an ASP.NET web form with a Unix encrypted password stored in a Sybase database table. I know I cannot use MD5, SHA1, etc as the password is stored encryted in Unix, I guess crypt(). Is there a special Dll that I can use to convert the password into a Unix encrypted string value and then match the two values?
I am using ASP.NET, C#
Thanks
Sri.
| |
by: iamsiju |
last post by:
Hi,
I am facing a problem with the Perl Telnet Object. My Telnet Object hangs just after issueing reboot command on the remote host.
Please help me who faced this problem !!!
Thanks in advance
Siju Maliakkal
|
by: programming |
last post by:
Hi all,
i have been having trouble with a login script that works on my
windows machine, however when i upload it to the Unix server through
VPN, the same script won't work! It won't parse member.txt properly i
think. The password and usernames i am using are at the bottom of this
post.
Each time i go to login on the unix server, it clears the username and
password field. I have been attempting to solve the problem, but have
been...
|
by: bond007 |
last post by:
Hi,
Am writing an .net windows application in which i have to connect to IBM MQ on remote machine running unix to post messages. This is a tool kinda thing for an enterprise application.
this is the code am using to connect to the MQ.
MQEnvironment.Hostname = hostName;
MQEnvironment.Port = port;
MQEnvironment.Channel = "SYSTEM.DEF.SVRCONN";
MQQueueManager qm=new MQQueueManager(queueMgr);
|
by: happyse27 |
last post by:
Hi All,
I modified the user registration script, but not sure how to make it check for each variable in terms of preventing junk registration and invalid characters?
Two codes below :
a) html
b) perl script (print and inserting into database)
Cheers...
Andrew
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |