Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
12-13-2004, 06:56 AM
|
#1
|
|
Member
Registered: Aug 2004
Location: Western Australia
Distribution: Debian Lenny
Posts: 779
Rep: 
|
php & shadow passwords
Fedora 2
PHP learner creating a user application in PHP. How can I get user password input through a HTML form encrypted so that it can be checked against /etc/shadow?
Is there a better way than using HTML form to get the result I want? PAM??
|
|
|
|
|
12-13-2004, 10:17 AM
|
#2
|
|
Member
Registered: Apr 2002
Posts: 498
Rep:
|
Why don't you start by explaining the result you want before asking us how to do it?
|
|
|
|
|
12-13-2004, 10:37 AM
|
#3
|
|
Member
Registered: Aug 2004
Location: Western Australia
Distribution: Debian Lenny
Posts: 779
Original Poster
Rep:
|
I thought a short question would take less of people's time, it looks like I made it too short.
The HTML form of my application ask the user to enter a password, this password is plain text and I want to check it against what's in /etc/shadow which is encrypted passwords.
So I need to encrypt the password received from the HTML form in a suitable way (probably using the same algorithm used to create /etc/shadow) so that it can be checked against /etc/shadow. How can I do that?
If too complicated, I'm thinking about creating a small database of users and using MD5 to encrypt their passwords as I don't want passwords in clear text stored.
Thanks for any hint.
|
|
|
|
|
12-14-2004, 09:27 AM
|
#4
|
|
Member
Registered: Apr 2002
Posts: 498
Rep:
|
Comparing to /etc/shadow is a bad idea. You will want to setup a DB to store user names/passwords.
|
|
|
|
|
12-14-2004, 10:47 PM
|
#5
|
|
Member
Registered: Aug 2004
Location: Western Australia
Distribution: Debian Lenny
Posts: 779
Original Poster
Rep:
|
Thanks to TruckStuff
If it's a bad idea then I won't do it.
|
|
|
|
|
12-17-2004, 04:59 AM
|
#6
|
|
Member
Registered: Aug 2004
Location: Europe
Posts: 587
Rep:
|
If you can have different passwords for users of your web-application. then do it and store the passwords somewhere else than shadow.
If you absolutely need to use authentication against standard user passwords from shadow, I suggest you take a look at some PHP bindings to PAM (pluggable authentication modules) which are used in the system to actually do the password checking (and much more stuff).
|
|
|
|
|
12-17-2004, 07:51 PM
|
#7
|
|
Member
Registered: Dec 2004
Location: Hawaii
Distribution: Fedora & CentOS
Posts: 72
Rep:
|
I just want to clerify as to why it is a bad idea to have php be able to read /etc/shadow
/etc/shadow is root-readable only, for the reason that it contains the password information for system users. If someone were able to read the data, remotly from the web, they could run a brute force program against it, to obtain the passwords of the users.
There are often exploits in common php apps that come out, and even though they are patched quickly, many many people do not upgrade right away. It only takes a day from a new exploit like this to be released before every site that can be found on google with the exploitable app's version number are taken advantage of.
And even though you may not use a common php app, a determined hacker could possibly find a way into your custom application. You definatly don't want anyone being able to see your /etc/shadow file, because then they'll gain access to your system, and potentially take you down before you even knew what happened.
-Corey
|
|
|
|
|
12-17-2004, 10:55 PM
|
#8
|
|
Member
Registered: Aug 2004
Location: Western Australia
Distribution: Debian Lenny
Posts: 779
Original Poster
Rep:
|
Thanks to all for your valuable info.
TruckStuff's answer made me realize that I was proposing to introduce a serious weakness to the system and the other
answers confirmed it and explained why. I promise you, I'll leave /etc/shadow alone and be a bit more thoughtful in the
future.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 11:23 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
