Shell Programming and Scripting

Hi there,
There's something I don't understand. The same string does not give the same md5 hash everytime. I wanted to find a way to check someone's password but the following script obviously shows that it's not possible that way :

Code:

ks354286:~# user=foo
ks354286:~# pw=$(mkpasswd -H md5 topsecret)
ks354286:~# echo "$user:$pw"
foo:$1$WYq0L220$25QI3T1cMGh1PsJc5guFv1
ks354286:~#
ks354286:~# useradd -p$pw $user
ks354286:~# grep "$user:$pw" /etc/shadow
foo:$1$WYq0L220$25QI3T1cMGh1PsJc5guFv1:14284:0:99999:7:::
ks354286:~#
ks354286:~# pw=$(mkpasswd -H md5 topsecret)
ks354286:~# echo "$user:$pw"
foo:$1$wrSmUGbt$DtqoBPvQ7xImZcHi3F2M71
ks354286:~#
ks354286:~# grep "$user:$pw" /etc/shadow
ks354286:~#

So in short. How can I check someone's password?
Thanks for your help
Santiago

PS: By the way, I have exactly the same problem with MySQL.

UNIX passwords contain a "salt" in order to create (a bit of) randomness and make them less guessable. To generate a password you usually call the crypt(3) routine with an empty salt. To check a password, you pass the hashed password as the salt to crypt(3), which extracts the salt originally used and uses this to create the other hashed password. If both hashes match, you've got the correct password.

pludi is correct, determining MD5 salt could be based on several things, timestamp that the user was created, last password change, you name it. Determining password is a pain in the butt, you could get some crack utilities like John the Ripper. But if you are the sysadmin of the box, reset the password, or force a password change for the end user.

Being security conscious I don't want a file laying around with passwords in an unencrypted format.. Get a trojan horse have that file stolen and kiss your career goodbye.

Hi pludi,
It took me a while to understand your "chinese". Sorry, I'm not a real pro.
Hi rmuledeer and thanks for your help as well.

Actually, the salt must only be part of the hashed password. The following shows that without salt, the hash is "random" but if you provide a specific one, you get the same hash.

Code:

ks354286:~# pw=$(mkpasswd -H md5 topsecret); echo $pw
$1$v2CxH4iz$T/186EWGfcqq9hXOpWKvv1
ks354286:~# pw=$(mkpasswd -H md5 topsecret); echo $pw
$1$akgRfAM.$4vlNIo233jQVM2jc989Ss/
ks354286:~# pw=$(mkpasswd -H md5 -S ${pw:3:8} topsecret); echo $pw
$1$akgRfAM.$4vlNIo233jQVM2jc989Ss/

Now, here is what I found to check someone's password (you must be root or have sudo powers):

Code:

ks354286:~# user=foo
ks354286:~# password=topsecret
ks354286:~# hpw=$(grep "^$user:" /etc/shadow | cut -d ':' -f 2)
ks354286:~# grep -q "^$user:$(mkpasswd -H md5 -S ${hpw:3:8} $password)" /etc/shadow && echo OK || echo 'Denied!'
OK
ks354286:~#
ks354286:~# password=notsosure
ks354286:~# hpw=$(grep "^$user:" /etc/shadow | cut -d ':' -f 2)
ks354286:~# grep -q "^$user:$(mkpasswd -H md5 -S ${hpw:3:8} $password)" /etc/shadow && echo OK || echo 'Denied!'
Denied!

So far, so good. The problem is that I'm trying to create a web interface to allow users to change their password. Why?
1) They don't know what unix is and would not be able to change it through the shell (they don't even have access to it).
2) But they use several services that rely on their unix account
It's a small group of people that I know and they just tell me their password but I'd like this to be more confidential.

So I have my script that checks a password before changing it. But it must be executed as root and the web page is www-data. Any idea to work around this?
1) Let www-data store the form (username, oldpassword, newpassword) in a file and run a cron every minute so root can apply the changes (dumb eh!)
Problem1: The password lays uncrypted during 30 seconds.
Problem2: I cannot warn the user if he has entered an incorrect oldpassword.
2) Give www-data superpowers (dumber?)

Any other idea?