473,372 Members | 1,098 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,372 software developers and data experts.

Validating A User/Password Pair + Getting Groups On Unix

OK, I've Googled for this and cannot seem to quite find what I need.
So, I turn to the Gentle Geniuses here for help. Here is what I
need to do from within a script:

Given a username and a password (plain text):

1) Validate that the password is correct for that user *without actually logging in*.

2) If the password is valid, return a list of all the groups the user belongs to.
Otherwise, return some error string.

I seem to not be able to crack how to do 1.

I can do 2) by brute force - just parse through /etc/group - but this
misses the primary group a given user may belong to - and that requires
also scanning /etc/passwd and then looking up the corresponding primary
group in /etc/group. Is there a better way?

TIA,
--
----------------------------------------------------------------------------
Tim Daneliuk tu****@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

Jul 18 '05 #1
4 3175
On 28 Feb 2005 20:17:58 EST, Tim Daneliuk <tu****@tundraware.com>
wrote:

[...]
Given a username and a password (plain text):

1) Validate that the password is correct for that user *without actually logging in*.
The 'pwd' module probably won't be able (and won't try) to read the
shadow password file, so 'pwd' won't be of use. There may not be a
Python module which handles your local authentication scheme (there's
a 'krb5' module for Kerberos authentication), so you may need to write
one. The best approach may be to write an extension module in C or
C++ which wraps around whatever local authentication functions are
appropriate (e.g. a 'pam' module for PAM, an 'auth' module for BSD).
You'd only need to wrap the functions needed for simple pass/fail
authentication (e.g. auth_userokay), but the other functions could
easily be added to the extension later if needed.

The process that calls the authentication functions will probably need
special access privileges so that the functions can succesfully accept
or reject the password. The man pages for the authentication
functions should have details. For example, auth_userokay calls
getpwnam, which requires the effective uid to be 0 (or, on some
systems, the user to be in the "_shadow" group) for it to include the
encrypted password in the passwd entry.

If you're not sure what authentication scheme your system uses, try
`man -s 3 authenticate` or examine "/usr/src/usr.bin/login/login.c".

extending Python:
http://www.python.org/doc/2.4/ext/ext.html

Python/C API:
http://www.python.org/doc/2.4/api/api.html

Information on Linux-PAM
http://www.kernel.org/pub/linux/libs/pam/

You could even add support for the full authentication API to your
module and contribute the extension to the Python community.
http://www.python.org/download/Contributed.html.

2) If the password is valid, return a list of all the groups the user belongs to.
Otherwise, return some error string.
[...]I can do 2) by brute force - just parse through /etc/group - but this
misses the primary group a given user may belong to - and that requires
also scanning /etc/passwd and then looking up the corresponding primary
group in /etc/group. Is there a better way?

Slightly better would be to use the grp and pwd modules:
http://www.python.org/doc/2.4/lib/module-grp.html
http://www.python.org/doc/2.4/lib/module-pwd.html

Even better would be to write an extension or add to the grp module to
wrap around local group database access functions (e.g. getgrouplist).
See the 'getgrouplist' man page for more information and examine the
source of the `groups` command (probably
"/usr/src/usr.bin/groups/groups.c") or `id` command (should be
"/usr/src/usr.bin/id/id.c") for other group DB access functions.

You could also call the `groups` command via 'os.popen(...)'.

Jul 18 '05 #2
On 28 Feb 2005 20:17:58 EST, Tim Daneliuk <tu****@tundraware.com>
wrote:

[...]
Given a username and a password (plain text):

1) Validate that the password is correct for that user *without actually logging in*.
The naive solution is to use the 'crypt' module to encrypt the alleged
password, use 'pwd.getpwuid' or 'pwd.getpwnam' to get the user's
encrypted password (assuming the python process has appropriate access
privileges) and compare the two. This is naive in that:
* 'pwd.getpw*' may not retrieve the encrypted password even though the
current process has appropriate access privileges
* the password may be for an encryption or authentication scheme other
than that provided by 'crypt'.
Using the local authentication scheme shouldn't have these
shortcomings.

There may not be a Python module which handles your local
authentication scheme (there's a 'krb5' module for Kerberos
authentication), so you may need to write one. This could be done by
an extension module in C or C++ which wraps around whatever local
authentication functions are appropriate (e.g. a 'pam' module for PAM,
an 'auth' module for BSD). You'd only need to wrap the functions
needed for simple pass/fail authentication (e.g. 'auth_userokay'), but
the other functions could easily be added to the extension later if
needed.

If you're not sure what authentication scheme your system uses, try
`man -s 3 authenticate` or examine "/usr/src/usr.bin/login/login.c".

Whichever approach you use, the process that calls the authentication
functions needs special access privileges so that the functions can
succesfully accept or reject the password. The man pages for the
authentication functions should have details. For example, 'getpwnam'
(used by 'auth_userokay' and the 'pwd' module) requires the effective
uid to be 0 (or, on some systems, the user to be in the "_shadow"
group) for it to include the encrypted password in the returned passwd
entry.

'crypt' and 'pwd' modules:
http://www.python.org/doc/2.4/lib/module-crypt.html
http://www.python.org/doc/2.4/lib/module-pwd.html

extending Python:
http://www.python.org/doc/2.4/ext/ext.html

Python/C API:
http://www.python.org/doc/2.4/api/api.html

Information on Linux-PAM
http://www.kernel.org/pub/linux/libs/pam/

You could even add support for the full authentication API to your
module and contribute the extension to the Python community.
http://www.python.org/download/Contributed.html.

2) If the password is valid, return a list of all the groups the user belongs to.
Otherwise, return some error string.
[...]I can do 2) by brute force - just parse through /etc/group - but this
misses the primary group a given user may belong to - and that requires
also scanning /etc/passwd and then looking up the corresponding primary
group in /etc/group. Is there a better way?

Slightly better would be to use the 'grp' and 'pwd' modules. One
advantage of this is it should support networked user databases (such
as YP).
http://www.python.org/doc/2.4/lib/module-grp.html
http://www.python.org/doc/2.4/lib/module-pwd.html

If you've grabbed the password entry for a user during authentication,
you've already got the login group but you'll still need to check for
additional groups. You could create a dictionary which maps user
names or IDs to groups. This would still require processing all
groups (via 'grp.getpwall()'), but is more efficient if you need to
fetch the groups of more than one user in the life of the process
(from the outline, I'm guessing this will only be the case if the
program is a server of some sort). Just make sure you have a method
to re-process the group database into the group dictionary in case the
group file changes.

Even better would be to write an extension or add to the grp module to
wrap around local group database access functions (e.g. getgrouplist).
See the 'getgrouplist' man page for more information and examine the
source of the `groups` command (probably
"/usr/src/usr.bin/groups/groups.c") or `id` command (should be
"/usr/src/usr.bin/id/id.c") for other group DB access functions.

You could also call the `groups` command via 'os.popen(...)'.

Jul 18 '05 #3
>> 1) Validate that the password is correct for that user *without
actually logging in*.

Kanenas> The 'pwd' module probably won't be able (and won't try) to read
Kanenas> the shadow password file, so 'pwd' won't be of use.

Note that an spwd module was recently added to Python's CVS repository. I
imagine it will be in 2.5.

Skip
Jul 18 '05 #4
On Tue, 1 Mar 2005 09:45:26 -0600, Skip Montanaro <sk**@pobox.com>
wrote:
>> 1) Validate that the password is correct for that user *without
>> actually logging in*.
>>

Kanenas> The 'pwd' module probably won't be able (and won't try) to read
Kanenas> the shadow password file, so 'pwd' won't be of use.

Note that an spwd module was recently added to Python's CVS repository. I
imagine it will be in 2.5.

Skip


It turns out 'pwd' uses the system 'getpwuid' and 'getpwnam' rather
than parsing /etc/passwd, so it can get the encrypted password if the
getpw* functions read the shadow passwd and the Python process has
EUID 0 (or whatever access rights getpw* use to determine when to
return the encrypted passwd). I misread (was misled by?) the 'pwd'
documentation:

"However most modern unices use a so-called shadow password
system. On those unices the field pw_passwd only contains a asterisk
('*') or the letter "x" where the encrypted password is stored in a
file /etc/shadow which is not world readable."

This is true if the getpw* don't read from the shadow passwd, which is
the case for Solaris and Linux. Linux and Solaris use getsp*, which
'spwd' is based on, to manage the shadow passwd. On OpenBSD and
FreeBSD, getpw* read from the shadow passwd and the getsp* don't
exist.

In summation, use 'pwd' to retrieve encrypted password on OpenBSD and
FreeBSD (and others?), 'spwd' on Linux and Solaris (and others?).
Assuming one goes this route.
--
Kanenas
Jul 18 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Cigdem | last post by:
Hello, I am trying to parse the XML files that the user selects(XML files are on anoher OS400 system called "wkdis3"). But i am permenantly getting that error: Directory0: \\wkdis3\ROOT\home...
4
by: James | last post by:
I have a VB windows forms application that accesses a Microsoft Access database that has been secured using user-level security. The application is being deployed using No-Touch deployment. The...
1
by: James | last post by:
I have a VB windows forms application that accesses a Microsoft Access database that has been secured using user-level security. The application is being deployed using No-Touch deployment. The...
3
by: Michael Glaesemann | last post by:
Hello all, Recently I've been thinking about different methods of managing users that log into a PostgreSQL-backed application. The users I'm thinking of are not necessarily DBAs: they're...
0
by: krisk | last post by:
I have a question or two regarding local users and groups. I have an ASP.NET 2.0 (C#) application (intranet-based, not on the Internet), and, on one of the pages, I have two textboxes for...
8
by: db2admin | last post by:
hi, can user connect to db2 server without providing username and password from client? regards
232
by: robert maas, see http://tinyurl.com/uh3t | last post by:
I'm working on examples of programming in several languages, all (except PHP) running under CGI so that I can show both the source files and the actually running of the examples online. The first...
3
by: Jennifer.Berube | last post by:
okay...so I got this login script and I edited it all and it seems to run fine...IE it listens to the script as far as permissions go when I place a restriction on a page and when you login it...
2
by: antonyliu2002 | last post by:
I am testing ASP.NET 2.0 Forms athentication with user credentials in SQL Server 2005. I don't want to put user credentials in web.config, so the credentials section is commented out. The...
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
0
by: ryjfgjl | last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
0
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
0
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
0
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
0
BarryA
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.