|
|
|
google unix.com
|
|||||||
| Forums | Register | Forum Rules | Links | Albums | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
| Shell Programming and Scripting Post questions about KSH, CSH, SH, BASH, PERL, PHP, SED, AWK and OTHER shell scripts and shell scripting languages here. |
More UNIX and Linux Forum Topics You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Check password age | Tornado | Shell Programming and Scripting | 3 | 12-19-2006 11:21 PM |
| password complexity check | dbsora | SUN Solaris | 1 | 08-29-2006 02:30 PM |
| Check for the correct date format in UNIx | rawatds | Shell Programming and Scripting | 1 | 07-13-2006 07:24 AM |
| password check | riya | UNIX for Dummies Questions & Answers | 1 | 03-26-2006 09:44 PM |
| check root password | collins | High Level Programming | 1 | 01-17-2005 11:55 AM |
 |
Powered by 
|
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
|
|
02-09-2009
|
|||||
|
|||||
How can I check that a password is correct?
Hi there, There's something I don't understand. The same string does not give the same md5 hash everytime. I wanted to find a way to check someone's password but the following script obviously shows that it's not possible that way : Code:
ks354286:~# user=foo ks354286:~# pw=$(mkpasswd -H md5 topsecret) ks354286:~# echo "$user:$pw" foo:$1$WYq0L220$25QI3T1cMGh1PsJc5guFv1 ks354286:~# ks354286:~# useradd -p$pw $user ks354286:~# grep "$user:$pw" /etc/shadow foo:$1$WYq0L220$25QI3T1cMGh1PsJc5guFv1:14284:0:99999:7::: ks354286:~# ks354286:~# pw=$(mkpasswd -H md5 topsecret) ks354286:~# echo "$user:$pw" foo:$1$wrSmUGbt$DtqoBPvQ7xImZcHi3F2M71 ks354286:~# ks354286:~# grep "$user:$pw" /etc/shadow ks354286:~# So in short. How can I check someone's password? Thanks for your help Santiago PS: By the way, I have exactly the same problem with MySQL. |
|
02-09-2009
|
|||||
|
|||||
|
UNIX passwords contain a "salt" in order to create (a bit of) randomness and make them less guessable. To generate a password you usually call the crypt(3) routine with an empty salt. To check a password, you pass the hashed password as the salt to crypt(3), which extracts the salt originally used and uses this to create the other hashed password. If both hashes match, you've got the correct password.
|
|
02-09-2009
|
||||
|
||||
|
pludi is correct, determining MD5 salt could be based on several things, timestamp that the user was created, last password change, you name it. Determining password is a pain in the butt, you could get some crack utilities like John the Ripper. But if you are the sysadmin of the box, reset the password, or force a password change for the end user.
Being security conscious I don't want a file laying around with passwords in an unencrypted format.. Get a trojan horse have that file stolen and kiss your career goodbye. |
|
02-10-2009
|
|||||
|
|||||
|
Hi pludi, It took me a while to understand your "chinese". Sorry, I'm not a real pro. Hi rmuledeer and thanks for your help as well. Actually, the salt must only be part of the hashed password. The following shows that without salt, the hash is "random" but if you provide a specific one, you get the same hash. Code:
ks354286:~# pw=$(mkpasswd -H md5 topsecret); echo $pw
$1$v2CxH4iz$T/186EWGfcqq9hXOpWKvv1
ks354286:~# pw=$(mkpasswd -H md5 topsecret); echo $pw
$1$akgRfAM.$4vlNIo233jQVM2jc989Ss/
ks354286:~# pw=$(mkpasswd -H md5 -S ${pw:3:8} topsecret); echo $pw
$1$akgRfAM.$4vlNIo233jQVM2jc989Ss/
Now, here is what I found to check someone's password (you must be root or have sudo powers): Code:
ks354286:~# user=foo
ks354286:~# password=topsecret
ks354286:~# hpw=$(grep "^$user:" /etc/shadow | cut -d ':' -f 2)
ks354286:~# grep -q "^$user:$(mkpasswd -H md5 -S ${hpw:3:8} $password)" /etc/shadow && echo OK || echo 'Denied!'
OK
ks354286:~#
ks354286:~# password=notsosure
ks354286:~# hpw=$(grep "^$user:" /etc/shadow | cut -d ':' -f 2)
ks354286:~# grep -q "^$user:$(mkpasswd -H md5 -S ${hpw:3:8} $password)" /etc/shadow && echo OK || echo 'Denied!'
Denied!
So far, so good. The problem is that I'm trying to create a web interface to allow users to change their password. Why? 1) They don't know what unix is and would not be able to change it through the shell (they don't even have access to it). 2) But they use several services that rely on their unix account It's a small group of people that I know and they just tell me their password but I'd like this to be more confidential. So I have my script that checks a password before changing it. But it must be executed as root and the web page is www-data. Any idea to work around this? 1) Let www-data store the form (username, oldpassword, newpassword) in a file and run a cron every minute so root can apply the changes (dumb eh!) Problem1: The password lays uncrypted during 30 seconds. Problem2: I cannot warn the user if he has entered an incorrect oldpassword. 2) Give www-data superpowers (dumber?) Any other idea? |
|
| Bookmarks |
| Tags |
| comparision, hash, md5, password |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Hybrid Mode
