LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 12-13-2004, 06:56 AM   #1
rblampain
Member
 
Registered: Aug 2004
Location: Western Australia
Distribution: Debian 7
Posts: 790

Rep: Reputation: 32
php & shadow passwords


Fedora 2
PHP learner creating a user application in PHP. How can I get user password input through a HTML form encrypted so that it can be checked against /etc/shadow?

Is there a better way than using HTML form to get the result I want? PAM??
 
Old 12-13-2004, 10:17 AM   #2
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Why don't you start by explaining the result you want before asking us how to do it?
 
Old 12-13-2004, 10:37 AM   #3
rblampain
Member
 
Registered: Aug 2004
Location: Western Australia
Distribution: Debian 7
Posts: 790

Original Poster
Rep: Reputation: 32
I thought a short question would take less of people's time, it looks like I made it too short.
The HTML form of my application ask the user to enter a password, this password is plain text and I want to check it against what's in /etc/shadow which is encrypted passwords.

So I need to encrypt the password received from the HTML form in a suitable way (probably using the same algorithm used to create /etc/shadow) so that it can be checked against /etc/shadow. How can I do that?

If too complicated, I'm thinking about creating a small database of users and using MD5 to encrypt their passwords as I don't want passwords in clear text stored.

Thanks for any hint.
 
Old 12-14-2004, 09:27 AM   #4
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Comparing to /etc/shadow is a bad idea. You will want to setup a DB to store user names/passwords.
 
Old 12-14-2004, 10:47 PM   #5
rblampain
Member
 
Registered: Aug 2004
Location: Western Australia
Distribution: Debian 7
Posts: 790

Original Poster
Rep: Reputation: 32
Thanks to TruckStuff
If it's a bad idea then I won't do it.
 
Old 12-17-2004, 04:59 AM   #6
r0b0
Member
 
Registered: Aug 2004
Location: Europe
Posts: 600

Rep: Reputation: 49
If you can have different passwords for users of your web-application. then do it and store the passwords somewhere else than shadow.
If you absolutely need to use authentication against standard user passwords from shadow, I suggest you take a look at some PHP bindings to PAM (pluggable authentication modules) which are used in the system to actually do the password checking (and much more stuff).
 
Old 12-17-2004, 07:51 PM   #7
cormander
Member
 
Registered: Dec 2004
Location: Hawaii
Distribution: Fedora & CentOS
Posts: 72

Rep: Reputation: 15
I just want to clerify as to why it is a bad idea to have php be able to read /etc/shadow

/etc/shadow is root-readable only, for the reason that it contains the password information for system users. If someone were able to read the data, remotly from the web, they could run a brute force program against it, to obtain the passwords of the users.

There are often exploits in common php apps that come out, and even though they are patched quickly, many many people do not upgrade right away. It only takes a day from a new exploit like this to be released before every site that can be found on google with the exploitable app's version number are taken advantage of.

And even though you may not use a common php app, a determined hacker could possibly find a way into your custom application. You definatly don't want anyone being able to see your /etc/shadow file, because then they'll gain access to your system, and potentially take you down before you even knew what happened.

-Corey
 
Old 12-17-2004, 10:55 PM   #8
rblampain
Member
 
Registered: Aug 2004
Location: Western Australia
Distribution: Debian 7
Posts: 790

Original Poster
Rep: Reputation: 32
Thanks to all for your valuable info.
TruckStuff's answer made me realize that I was proposing to introduce a serious weakness to the system and the other
answers confirmed it and explained why. I promise you, I'll leave /etc/shadow alone and be a bit more thoughtful in the
future.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/etc/passwd & /etc/shadow through php? whysyn Linux - Software 4 11-29-2005 10:29 PM
shadow passwords help? SciYro Linux - Security 2 03-03-2004 05:11 AM
shadow passwords dtheorem Linux From Scratch 2 10-18-2003 11:40 PM
shadow passwords and mdf njnear Linux - Security 5 08-06-2003 03:41 PM
Am I using shadow passwords? keirobyn Linux - Newbie 1 01-28-2002 12:55 AM


All times are GMT -5. The time now is 09:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration