checking passwords against the linux /etc/passwd file

sleepy0110 · 09-29-2008, 07:41 PM

Hi,

I need to write a program that checks a password entered by a user against a password in the standard linux /etc/passwd file (I realize most linux distributions these days use shadow instead, but the system I'm dealing with still uses /etc/passwd)

I'm guess I would use the crypt function to encrypt the password given by the user. I do get confused on the salt input to the crypt function.
My understanding is that when a password is generated, the salt chosen to encrypt it is random. If that's the case, then I don't see how-to generate a comparable value from the user entered password to the password file.

Can anybody help me out on how I would check a pw entered by a user against the pw in the /etc/passwd file to see if it is correct?

Thanks.

sleepy0110 · 09-29-2008, 08:14 PM

Actually, figured it out. I was using the wrong salt value when doing the encryption.

In case others are wondering, the salt is found in the password file itself.

For MD5 based encryption (most modern) you'd have an encrypted pw that looks like this:
$1$wdU/3pY0$JRiqShV.12p6g8SabcT1fu
the salt value is: $1$wdU/3pY0$

so:
crypt("userEnteredPw", "$1$wdU/3pY0$");
Will give you: $1$wdU/3pY0$JRiqShV.12p6g8SabcT1fu

For DES, the password entry looks like this
A5di39f9k934d

the salt value is the first two characters: A5
so
crypt("userEnteredPW", "A5")
Will give you: A5di39f9k934d

All of the above is from the GNU C Library manual:
http://www.gnu.org/software/libc/man...ibc.html#crypt

sundialsvcs · 09-29-2008, 10:05 PM

The trick is, though ... "that's not how you check passwords."

Most of the time, the system uses "shadow passwords" so that the /etc/passwd file does not contain any password information at all. The actual password information is stored in a place you can't get to.

Sometimes, computers use a centralized authentication mechanism like LDAP so that there are no stored passwords on any particular machine.

But... you can still check passwords. The mechanism for doing so is usually PAM: Pluggable Authentication Modules. This provides a standard way for programs to request authentication and receive "the answer, yes or no," while giving humans great flexibility in specifying how the authentication is actually to be determined.