Howto compare password in /etc/shadow

blunt · 04-17-2007, 06:20 AM

Hello.

I'm trying to develop a PHP script to control some functions in my server. The server has VPS and I want to create a simple script which allows the root user of the VPS to reboot it, from a graphical interface instead of from shell access.

What I need is to compare the password the user enters in the PHP form, with the root passowrd from the /etc/shadow file he has in his VPS. Is there any method of converting a plain password to the shadow format so I can compare it to the one contained in the /etc/shadow file?

Is there any other (maybe more efective) way of doing this, without having to for example, create a table in mysql with users and passwords and check the login form against that information?

Thank you

wjevans_7d1@yahoo.co · 04-17-2007, 09:55 AM

I can only help you from the C world; I don't know jack about PHP. But maybe this will give you a first step.

See these pages:

Code:

man 5 shadow
man 3 shadow
man 3 crypt

Hope this is of some help.

Matir · 04-17-2007, 10:14 AM

If the root password hash from the shadow file is in $rootpw, and the input password is in $password, use this:

Code:

if($rootpw==crypt($password,$rootpw)){
    // correct password
} else {
    // incorrect password
}

blunt · 04-17-2007, 04:20 PM

thank you wjevans for your reply. I had read some of the man pages, but not all of the three you mentioned. It doesn't help much about PHP, bue it does provide some necessary info.

Thank you Matir for your post, I had already found some info about the PHP needed to test the passwords, and although your solution provides correct result, it seems that the crypt function from PHP only needs the first 2 characters from the encrypted shadow password as salt to provide the correct encrypted pass.

Besides that, I figured out that I need suexec installed with apache and PHP in order to be able to read the /etc/shadow file.
It all seems to work now.

thank you both

Matir · 04-17-2007, 04:55 PM

If you only need the first 2 characters you are probably using DES passwords... a tiny bit outdated, you may want to update.

blunt · 04-18-2007, 05:41 AM

Yes, the VPSs have encrypted passwords that only use the 2 first characters. They run on Debian Sarge. I don't really know how to update that...

But now I'm having another problem...I can get the script to work if I type "php myscript.php" in the shell, bue if I go to the browser, I only get a 403 forbidden error...Any guess on why this is happening? Is my apache not working well with suexec?

Thank you