UNIX for Dummies Questions & Answers

i have an application that uses the encrypted password that's in the /etc/shadow file.

i copied the line for the particular username i was interested it in from shadow file and i pasted it into the password file of the application. the application is nagios.

this application allowed that particular user access as long as she entered the right password.

my question is, how can i authenticate users using the shadow password file? i'd like to do this in my own scripts.

for instance if a user enters "Apple" for a password. when encrypted, that will be scrambled to look differently (as it is in the shadow file). how can i make it so if a user is running a script, i want to make sure its the right user. not someone posing as the user.

i already tried:

Code:

echo "Apple" | md5sum

but the resulting scrambled letters do not match that of the /etc/shadow.

OS: Linux/SunOS/HPUX

Thank you all

I think you are trying to do this from the wrong side. If you want to make sure only the right user can execute the script, then, instead of using passwords, make the script executable only for that user account (or group, if there are several users).

I hope this helps.

bakunin

The shadow file does not work that way. The passwords are obscured further than md5 (salted) to make them even more difficult to decipher.

I'm not sure they even use md5 for passwords anymore -- it turned out to have a major flaw.

If they can login as the correct user, they're probably the correct user, so use file access permissions to prevent anyone but that user from executing it.

This will also be a whole lot easier than trying to parse shadow files from three very different operating systems.

thank you guys!

yeah file permission setting is completely out of the equation since everyone has root here. that's out of my control. but what is under my control is making sure script is inoperable unless the proper password is written.

i'm thinking, if i can grab a line from the shadow file, insert it in the nagios password file htpasswd.users and have it actually work, then i need to figure out how Nagios is doing it. surely, if nagios can do it, i can.

If everyone has root, then why bother? If everyone has root, any countermeasure can be undermined and neither security nor accountability are a priority.

So, obviously, this system is insecure. That may acceptable; we don't know any of the particulars. If you explain what you are to trying to accomplish, instead of asking how to implement what you think is the solution, we may be able to provide useful advice.

As it stands, what you have asked is nonsensical. How can you use the shadow file to defend against an attacker who has permission to modify the shadow file?

Regards,
Alister

P.S. With regard to authenticating using the shadow file, it can be done using whatever interfaces your system provides to login, nagios, etc (my UNIX doesn't have a shadow file).

If everyone has root, you are -- to put it delicately -- screwed. You cannot prevent root from being root.