By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,660 Members | 1,102 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,660 IT Pros & Developers. It's quick & easy.

how to check for unix password

P: n/a
hi
i created a login page that authenticate the user and his/her password
to the unix ssystem. what modules can i used to compare the unix
password with what the user typed in the cgi form? the password is
encrypted (shadowed) so i need to
decrypt it first before comparing to what the user typed. or this
cannot be done at all?
thanks

Nov 2 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
complicated issue. There is lots of authentication sub system that may
be in use(PAM, LDAP, Kerberos, /etc/shadow etc.). Each has a different
way. If it is linux, I think you should shoot for PAM, for other unix
system I have no idea.
/etc/passwd is a one way hash, you need the user submit the plain text
equivalent(better use SSL) then compute and compare.

However, if this is web page, I believe it would be better to use the
apache2 module which has relatively good integration with the
authentication system.

ei***********@yahoo.com wrote:
hi
i created a login page that authenticate the user and his/her password
to the unix ssystem. what modules can i used to compare the unix
password with what the user typed in the cgi form? the password is
encrypted (shadowed) so i need to
decrypt it first before comparing to what the user typed. or this
cannot be done at all?
thanks


Nov 2 '05 #2

P: n/a
ei***********@yahoo.com writes:
i created a login page that authenticate the user and his/her password
to the unix ssystem. what modules can i used to compare the unix
password with what the user typed in the cgi form? the password is
encrypted (shadowed) so i need to
decrypt it first before comparing to what the user typed. or this
cannot be done at all?


As has already been pointed out, users authenticate to Unix systems
with a lot more than passwords.

Also, it's not a good idea to make a web page use a system
password. Web page passwords tend to be poorly protected.

Finally, you can't decrypt a Unix password file password. The
algorithm is to encrypt what the user typed (with crypt.crypt) then
compare that with the entry in the password file. You pass crypt.crypt
the user-entered pasword as the first argument, and the password from
the password file as the second, and compare the returned value to the
password from the password file.

<mike
--
Mike Meyer <mw*@mired.org> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
Nov 2 '05 #3

P: n/a
ei***********@yahoo.com wrote:
hi
i created a login page that authenticate the user and his/her password
to the unix ssystem. what modules can i used to compare the unix
password with what the user typed in the cgi form? the password is
encrypted (shadowed) so i need to
That's not the same thing. Unix passwords are always hashed (encrypted
if you like), but shadowing means that the hashed password isn't visible
in the /etc/passwd file (this file is readable to anyone logged into the
system) but stored in a shadow file which is only available to
administrators.
decrypt it first before comparing to what the user typed. or this
cannot be done at all?


No. This is done with a one-way encryption algorithm, it shouldn't
be possible to decrypt the password hashes without a time consuming
brute force attack. That's not how the authentication works.

What you should do is to encrypt the user supplied password with the
same algorithm and salt as the Unix system uses, and compare the
hashes.

Another option is to simply run some program that tries to log in
the user on the unix box and see if that goes well.

If you really use shadow passwords, and can't run as root on the
system, manual comparision with the password hash is not an option.

For another alternative, see
http://aspn.activestate.com/ASPN/Coo.../Recipe/203610
If POP won't help you, I'm sure you might think of similar approaches,
telnetlib or ftplib might prove helpful.
Nov 2 '05 #4

P: n/a
ei***********@yahoo.com wrote:
i created a login page that authenticate the user and his/her password
to the unix ssystem. what modules can i used to compare the unix
password with what the user typed in the cgi form? the password is
encrypted (shadowed) so i need to decrypt it first before comparing
to what the user typed.


encrypted != shadowed. unix passwords are always encrypted, and
cannot be decrypted (at least not easily).

to check a password, encrypt the given password using the same salt,
and check if you get the same result. see the second example on this
page for an example:

http://effbot.org/librarybook/crypt.htm

if the password is shadowed, you need the right privileges, and the spwd
module:

http://www.python.org/dev/doc/devel/...dule-spwd.html

this is only available in development versions. to use it with an older
version, you have to built it yourself. the source code is here:

http://svn.python.org/view/python/tr...s/spwdmodule.c

</F>

Nov 2 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.