Fedora 2
PHP learner creating a user application in PHP. How can I get user password input through a HTML form encrypted so that it can be checked against /etc/shadow?

Is there a better way than using HTML form to get the result I want? PAM??

Why don't you start by explaining the result you want before asking us how to do it?

I thought a short question would take less of people's time, it looks like I made it too short.
The HTML form of my application ask the user to enter a password, this password is plain text and I want to check it against what's in /etc/shadow which is encrypted passwords.

So I need to encrypt the password received from the HTML form in a suitable way (probably using the same algorithm used to create /etc/shadow) so that it can be checked against /etc/shadow. How can I do that?

If too complicated, I'm thinking about creating a small database of users and using MD5 to encrypt their passwords as I don't want passwords in clear text stored.

Thanks for any hint.

Comparing to /etc/shadow is a bad idea. You will want to setup a DB to store user names/passwords.

Thanks to TruckStuff
If it's a bad idea then I won't do it.

If you can have different passwords for users of your web-application. then do it and store the passwords somewhere else than shadow.
If you absolutely need to use authentication against standard user passwords from shadow, I suggest you take a look at some PHP bindings to PAM (pluggable authentication modules) which are used in the system to actually do the password checking (and much more stuff).

I just want to clerify as to why it is a bad idea to have php be able to read /etc/shadow

/etc/shadow is root-readable only, for the reason that it contains the password information for system users. If someone were able to read the data, remotly from the web, they could run a brute force program against it, to obtain the passwords of the users.

There are often exploits in common php apps that come out, and even though they are patched quickly, many many people do not upgrade right away. It only takes a day from a new exploit like this to be released before every site that can be found on google with the exploitable app's version number are taken advantage of.

And even though you may not use a common php app, a determined hacker could possibly find a way into your custom application. You definatly don't want anyone being able to see your /etc/shadow file, because then they'll gain access to your system, and potentially take you down before you even knew what happened.

-Corey

Thanks to all for your valuable info.
TruckStuff's answer made me realize that I was proposing to introduce a serious weakness to the system and the other
answers confirmed it and explained why. I promise you, I'll leave /etc/shadow alone and be a bit more thoughtful in the
future.