The UNIX and Linux Forums  


Go Back   The UNIX and Linux Forums > Top Forums > Shell Programming and Scripting
.
google unix.com



Shell Programming and Scripting Post questions about KSH, CSH, SH, BASH, PERL, PHP, SED, AWK and OTHER shell scripts and shell scripting languages here.

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Check password age Tornado Shell Programming and Scripting 3 12-19-2006 11:21 PM
password complexity check dbsora SUN Solaris 1 08-29-2006 02:30 PM
Check for the correct date format in UNIx rawatds Shell Programming and Scripting 1 07-13-2006 07:24 AM
password check riya UNIX for Dummies Questions & Answers 1 03-26-2006 09:44 PM
check root password collins High Level Programming 1 01-17-2005 11:55 AM

Closed Thread
English Japanese Spanish French German Portuguese Italian Dutch Swedish Russian Norwegian Hungarian Hebrew Danish Bulgarian Greek Powered by Powered by Google
 
LinkBack Thread Tools Search this Thread Rate Thread Display Modes
  #1 (permalink)  
Old 02-09-2009
chebarbudo's Avatar
chebarbudo chebarbudo is offline
Registered User
  
 

Join Date: Nov 2008
Location: various
Posts: 188
Question How can I check that a password is correct?

Hi there,
There's something I don't understand. The same string does not give the same md5 hash everytime. I wanted to find a way to check someone's password but the following script obviously shows that it's not possible that way :

Code:
ks354286:~# user=foo
ks354286:~# pw=$(mkpasswd -H md5 topsecret)
ks354286:~# echo "$user:$pw"
foo:$1$WYq0L220$25QI3T1cMGh1PsJc5guFv1
ks354286:~#
ks354286:~# useradd -p$pw $user
ks354286:~# grep "$user:$pw" /etc/shadow
foo:$1$WYq0L220$25QI3T1cMGh1PsJc5guFv1:14284:0:99999:7:::
ks354286:~#
ks354286:~# pw=$(mkpasswd -H md5 topsecret)
ks354286:~# echo "$user:$pw"
foo:$1$wrSmUGbt$DtqoBPvQ7xImZcHi3F2M71
ks354286:~#
ks354286:~# grep "$user:$pw" /etc/shadow
ks354286:~#

So in short. How can I check someone's password?
Thanks for your help
Santiago

PS: By the way, I have exactly the same problem with MySQL.
  #2 (permalink)  
Old 02-09-2009
pludi's Avatar
pludi pludi is offline Forum Staff  
Moderator
  
 

Join Date: Dec 2008
Location: .at
Posts: 1,944
UNIX passwords contain a "salt" in order to create (a bit of) randomness and make them less guessable. To generate a password you usually call the crypt(3) routine with an empty salt. To check a password, you pass the hashed password as the salt to crypt(3), which extracts the salt originally used and uses this to create the other hashed password. If both hashes match, you've got the correct password.
  #3 (permalink)  
Old 02-09-2009
rmuledeer rmuledeer is offline
Registered User
  
 

Join Date: Feb 2009
Posts: 5
pludi is correct, determining MD5 salt could be based on several things, timestamp that the user was created, last password change, you name it. Determining password is a pain in the butt, you could get some crack utilities like John the Ripper. But if you are the sysadmin of the box, reset the password, or force a password change for the end user.

Being security conscious I don't want a file laying around with passwords in an unencrypted format.. Get a trojan horse have that file stolen and kiss your career goodbye.
  #4 (permalink)  
Old 02-10-2009
chebarbudo's Avatar
chebarbudo chebarbudo is offline
Registered User
  
 

Join Date: Nov 2008
Location: various
Posts: 188
Hi pludi,
It took me a while to understand your "chinese". Sorry, I'm not a real pro.
Hi rmuledeer and thanks for your help as well.

Actually, the salt must only be part of the hashed password. The following shows that without salt, the hash is "random" but if you provide a specific one, you get the same hash.

Code:
ks354286:~# pw=$(mkpasswd -H md5 topsecret); echo $pw
$1$v2CxH4iz$T/186EWGfcqq9hXOpWKvv1
ks354286:~# pw=$(mkpasswd -H md5 topsecret); echo $pw
$1$akgRfAM.$4vlNIo233jQVM2jc989Ss/
ks354286:~# pw=$(mkpasswd -H md5 -S ${pw:3:8} topsecret); echo $pw
$1$akgRfAM.$4vlNIo233jQVM2jc989Ss/

Now, here is what I found to check someone's password (you must be root or have sudo powers):

Code:
ks354286:~# user=foo
ks354286:~# password=topsecret
ks354286:~# hpw=$(grep "^$user:" /etc/shadow | cut -d ':' -f 2)
ks354286:~# grep -q "^$user:$(mkpasswd -H md5 -S ${hpw:3:8} $password)" /etc/shadow && echo OK || echo 'Denied!'
OK
ks354286:~#
ks354286:~# password=notsosure
ks354286:~# hpw=$(grep "^$user:" /etc/shadow | cut -d ':' -f 2)
ks354286:~# grep -q "^$user:$(mkpasswd -H md5 -S ${hpw:3:8} $password)" /etc/shadow && echo OK || echo 'Denied!'
Denied!

So far, so good. The problem is that I'm trying to create a web interface to allow users to change their password. Why?
1) They don't know what unix is and would not be able to change it through the shell (they don't even have access to it).
2) But they use several services that rely on their unix account
It's a small group of people that I know and they just tell me their password but I'd like this to be more confidential.

So I have my script that checks a password before changing it. But it must be executed as root and the web page is www-data. Any idea to work around this?
1) Let www-data store the form (username, oldpassword, newpassword) in a file and run a cron every minute so root can apply the changes (dumb eh!)
Problem1: The password lays uncrypted during 30 seconds.
Problem2: I cannot warn the user if he has entered an incorrect oldpassword.
2) Give www-data superpowers (dumber?)

Any other idea?
Closed Thread

Bookmarks

Tags
comparision, hash, md5, password

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT -4. The time now is 05:42 AM.


Powered by: vBulletin, Copyright ©2000 - 2006, Jelsoft Enterprises Limited. Language Translations Powered by .
vBCredits v1.4 Copyright ©2007 - 2008, PixelFX Studios
The UNIX and Linux Forums Content Copyright ©1993-2009. All Rights Reserved.Ad Management by RedTyger

Content Relevant URLs by vBSEO 3.2.0