The UNIX and Linux Forums  

Go Back   The UNIX and Linux Forums > Top Forums > Shell Programming and Scripting
Reload this Page How can I check that a password is correct?
.
google unix.com

Forums Register Forum RulesLinksAlbums FAQ Members List Calendar Search Today's Posts Mark Forums Read



Thread: How can I check that a password is correct?
View Single Post in the UNIX and Linux Forums - Click on the Thread or Permalink to View Entire Thread -->
  #4 (permalink)  
Old 02-10-2009
chebarbudo's Avatar
chebarbudo chebarbudo is offline
Registered User
  
 

Join Date: Nov 2008
Location: various
Posts: 188
Hi pludi,
It took me a while to understand your "chinese". Sorry, I'm not a real pro.
Hi rmuledeer and thanks for your help as well.

Actually, the salt must only be part of the hashed password. The following shows that without salt, the hash is "random" but if you provide a specific one, you get the same hash.

Code:
ks354286:~# pw=$(mkpasswd -H md5 topsecret); echo $pw
$1$v2CxH4iz$T/186EWGfcqq9hXOpWKvv1
ks354286:~# pw=$(mkpasswd -H md5 topsecret); echo $pw
$1$akgRfAM.$4vlNIo233jQVM2jc989Ss/
ks354286:~# pw=$(mkpasswd -H md5 -S ${pw:3:8} topsecret); echo $pw
$1$akgRfAM.$4vlNIo233jQVM2jc989Ss/

Now, here is what I found to check someone's password (you must be root or have sudo powers):

Code:
ks354286:~# user=foo
ks354286:~# password=topsecret
ks354286:~# hpw=$(grep "^$user:" /etc/shadow | cut -d ':' -f 2)
ks354286:~# grep -q "^$user:$(mkpasswd -H md5 -S ${hpw:3:8} $password)" /etc/shadow && echo OK || echo 'Denied!'
OK
ks354286:~#
ks354286:~# password=notsosure
ks354286:~# hpw=$(grep "^$user:" /etc/shadow | cut -d ':' -f 2)
ks354286:~# grep -q "^$user:$(mkpasswd -H md5 -S ${hpw:3:8} $password)" /etc/shadow && echo OK || echo 'Denied!'
Denied!

So far, so good. The problem is that I'm trying to create a web interface to allow users to change their password. Why?
1) They don't know what unix is and would not be able to change it through the shell (they don't even have access to it).
2) But they use several services that rely on their unix account
It's a small group of people that I know and they just tell me their password but I'd like this to be more confidential.

So I have my script that checks a password before changing it. But it must be executed as root and the web page is www-data. Any idea to work around this?
1) Let www-data store the form (username, oldpassword, newpassword) in a file and run a cron every minute so root can apply the changes (dumb eh!)
Problem1: The password lays uncrypted during 30 seconds.
Problem2: I cannot warn the user if he has entered an incorrect oldpassword.
2) Give www-data superpowers (dumber?)

Any other idea?