Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-14-2006, 06:25 PM
|
#1
|
Senior Member
Registered: Aug 2003
Location: Portland, Oregon
Distribution: Arch
Posts: 1,374
Rep:
|
howto: verify a user/pass at the shell prompt.
I am writing a program, users need to have a valid account on the system to use the program, so ins hort they give the program their username and password, the program than needs to verify the account is a valid system account, and verify the password is the correct password for that system account.
I am writing this script in perl, but might end up doing similar in php, both can issue shell commands, so I would like it to be a command I can run at the shell prompt. Anyone know how to accomplish this?
I have been searching liek mad all over the place and I am guessing I simply lack the understanding necessary to formulate a proper search string.
|
|
|
08-15-2006, 03:21 AM
|
#2
|
Member
Registered: Oct 2003
Location: St Paul, MN
Distribution: Fedora 8, Fedora 9
Posts: 513
Rep:
|
Any reason why you can't use sudo and echo in the username and password?
|
|
|
08-15-2006, 03:24 AM
|
#3
|
Member
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257
Rep:
|
Quote:
Originally Posted by exodist
I am writing a program, users need to have a valid account on the system to use the program, so ins hort they give the program their username and password, the program than needs to verify the account is a valid system account, and verify the password is the correct password for that system account.
|
So basically you want your code to authenticate users against already existing system accounts.Am I right?
Quote:
Originally Posted by exodist
I am writing this script in perl, but might end up doing similar in php, both can issue shell commands, so I would like it to be a command I can run at the shell prompt. Anyone know how to accomplish this?
|
Hmm...not quite clear...Do you mean...
[QUOTE=exodist
I have been searching liek mad all over the place and I am guessing I simply lack the understanding necessary to formulate a proper search string.
[/QUOTE]
Okay...this might help...
Code:
grep arvind /etc/passwd
will check if the username "arvind" is a valid account or not..
Checking if the pwd is correct may not be that simple though...as passwords are shadow encrypted in Linux.You might want your code to automatically take user's password input , run it through a shadow converter , put it in a variable and then do something like...
Code:
grep $PASS /etc/shadow
... to see if theres a match...If yes then see is its for the same username as entered b4...and you're in business..
If I've misunderstood what you need...let me know...
Cheers
Arvind
p.s.....The guys in the programming forum may be able to help you a bit more though ... so probably this post sh ould have been there
Last edited by live_dont_exist; 08-15-2006 at 03:25 AM.
|
|
|
08-15-2006, 04:22 AM
|
#4
|
Senior Member
Registered: Aug 2003
Location: Portland, Oregon
Distribution: Arch
Posts: 1,374
Original Poster
Rep:
|
thank you.
cdhgee: I do not see how duso can accomplish what I want
live_dont_exist: You understood what I wanted just fine, and you got just as far as I did. Problem is that echo "$password" | shadow does not produce the same encrypted string as the one in /etc/shadow.
There is another question I should have more clearly asked, please see below the solution:
However The people on the programming forum were able to help me. The string in the /etc/shadow in the password section contain both the encrypted password, and the seed used to generate it which is different for each password, using just this information I would guess you can pass botht he string and the seed to shadow, however I do not knwo for sure, the script I am writing is in perl and I was informed of a perl module to use for encrypting the string using the seed, so I am now good.
As for posting this in the programming section, I posted a different question in the programming forum, there I specifically requested information on how to accomplish my task. I figured someone in the programming forum could give me a code snippet or a perl module to use, and that would be great for the program.
I also had the goal of figuring out how the /etc/shadow file worked, and how the linux security was setup. here I posted a question to improve my greater understanding of linux security, and mentioned why I needed the info... hopefully I did not violate any double-posting rules, if I did I appologize.
A better question
The obove solution is great on a system with /etc/shadow holding the passwords. But I know some systems use pam, and possibly other methods of managing users and passwords, I was hoping there was a system utility or command or something that would work regardless of what method you use. I know the 'login' command accomplishes something similar to this, it is what presents the initial system login, and it is the same both on pam and shadow, so I was hoping there was something similar a user could just call and use.
|
|
|
08-15-2006, 04:23 AM
|
#5
|
Member
Registered: Mar 2005
Distribution: FC4
Posts: 83
Rep:
|
You don't have all those..Try this..
The function returns 1 if the user and passwd match 0 otherwise
Code:
import socket
def matchpasswd(login,passwd):
service_port=61237
address='IP_ADDRESS'
new_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)#initialise the socket
if new_socket<0 :
print "socket.socket() failed"
connect=new_socket.connect((address,service_port))#connect to server
tosend="auth "+login+" "+passwd+"\r\n" # the format of authoristaion
chunk=''
sent=new_socket.send(tosend)
chunk=new_socket.recv(128)
new_socket.close()
if chunk=="1 match":
return 1
else:
return 0
U can try this too as explained above
Last edited by Intimidator; 08-15-2006 at 04:41 AM.
|
|
|
08-15-2006, 04:48 AM
|
#6
|
Member
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257
Rep:
|
Good stuff... chill about the double post...I just felt it looked more of a coding quest .. thats all... You mentioned the seed also being stored inside the shadow password in /etc/shadow...so maybe if your code can first grab the seed of the user account...and then use it while passing it through "shadow" converter..it'll work...but then again...If ther is a module which does that ... ...
The "Login" binary ...I did think of that ...but there would be permission issues I believe if ou tried to call it directly as a normal user...as in...
However if u can call "login" ... without any issue(just try and directly at a shell first) .. then system("/bin/login") might just work in your code without u using all those modules...
arvind@attack$ /bin/login
Error: permission denied???
This is what I think will happen...not sure...let me know if it works though...
Cheers n all the best
Arvind
Last edited by live_dont_exist; 08-15-2006 at 04:50 AM.
|
|
|
08-15-2006, 04:59 AM
|
#7
|
Senior Member
Registered: Aug 2003
Location: Portland, Oregon
Distribution: Arch
Posts: 1,374
Original Poster
Rep:
|
Intimidator:
Wow... for the moment I will assume what you sent works... but I do not liek to use code if I do not understand it, I will avoid socket 101 questions and skip tot he details I would like:
service_port=61237 Why this port, what is it's significance? is it designated as the login port? or is it arbitrary, if so how/why does this work?
I was gonna ask a few other questions, like why the chunk='' what the hell is chunk, but then I noticed this is neither shell nor perl, it is a language I do not recognise immediately... and I am assuming it is something I would understand if I used sockets in that specific language.
The only other quation is what is the \r escape character? I have never used it.
|
|
|
08-15-2006, 05:07 AM
|
#8
|
Member
Registered: Oct 2003
Location: St Paul, MN
Distribution: Fedora 8, Fedora 9
Posts: 513
Rep:
|
\r is a carriage return. Mac uses \r for line endings, Windows uses \r\n and *nix uses \n.
|
|
|
08-16-2006, 05:16 AM
|
#9
|
Member
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227
Rep:
|
|
|
|
All times are GMT -5. The time now is 10:45 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|