how to check for unix password

Discussion in 'Python' started by eight02645999@yahoo.com, Nov 2, 2005.

  1. Guest

    hi
    i created a login page that authenticate the user and his/her password
    to the unix ssystem. what modules can i used to compare the unix
    password with what the user typed in the cgi form? the password is
    encrypted (shadowed) so i need to
    decrypt it first before comparing to what the user typed. or this
    cannot be done at all?
    thanks
     
    , Nov 2, 2005
    #1
    1. Advertising

  2. Guest

    complicated issue. There is lots of authentication sub system that may
    be in use(PAM, LDAP, Kerberos, /etc/shadow etc.). Each has a different
    way. If it is linux, I think you should shoot for PAM, for other unix
    system I have no idea.
    /etc/passwd is a one way hash, you need the user submit the plain text
    equivalent(better use SSL) then compute and compare.

    However, if this is web page, I believe it would be better to use the
    apache2 module which has relatively good integration with the
    authentication system.

    wrote:
    > hi
    > i created a login page that authenticate the user and his/her password
    > to the unix ssystem. what modules can i used to compare the unix
    > password with what the user typed in the cgi form? the password is
    > encrypted (shadowed) so i need to
    > decrypt it first before comparing to what the user typed. or this
    > cannot be done at all?
    > thanks
     
    , Nov 2, 2005
    #2
    1. Advertising

  3. Mike Meyer Guest

    writes:
    > i created a login page that authenticate the user and his/her password
    > to the unix ssystem. what modules can i used to compare the unix
    > password with what the user typed in the cgi form? the password is
    > encrypted (shadowed) so i need to
    > decrypt it first before comparing to what the user typed. or this
    > cannot be done at all?


    As has already been pointed out, users authenticate to Unix systems
    with a lot more than passwords.

    Also, it's not a good idea to make a web page use a system
    password. Web page passwords tend to be poorly protected.

    Finally, you can't decrypt a Unix password file password. The
    algorithm is to encrypt what the user typed (with crypt.crypt) then
    compare that with the entry in the password file. You pass crypt.crypt
    the user-entered pasword as the first argument, and the password from
    the password file as the second, and compare the returned value to the
    password from the password file.

    <mike
    --
    Mike Meyer <> http://www.mired.org/home/mwm/
    Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
     
    Mike Meyer, Nov 2, 2005
    #3
  4. Magnus Lycka Guest

    wrote:
    > hi
    > i created a login page that authenticate the user and his/her password
    > to the unix ssystem. what modules can i used to compare the unix
    > password with what the user typed in the cgi form? the password is
    > encrypted (shadowed) so i need to


    That's not the same thing. Unix passwords are always hashed (encrypted
    if you like), but shadowing means that the hashed password isn't visible
    in the /etc/passwd file (this file is readable to anyone logged into the
    system) but stored in a shadow file which is only available to
    administrators.

    > decrypt it first before comparing to what the user typed. or this
    > cannot be done at all?


    No. This is done with a one-way encryption algorithm, it shouldn't
    be possible to decrypt the password hashes without a time consuming
    brute force attack. That's not how the authentication works.

    What you should do is to encrypt the user supplied password with the
    same algorithm and salt as the Unix system uses, and compare the
    hashes.

    Another option is to simply run some program that tries to log in
    the user on the unix box and see if that goes well.

    If you really use shadow passwords, and can't run as root on the
    system, manual comparision with the password hash is not an option.

    For another alternative, see
    http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/203610
    If POP won't help you, I'm sure you might think of similar approaches,
    telnetlib or ftplib might prove helpful.
     
    Magnus Lycka, Nov 2, 2005
    #4
  5. wrote:

    > i created a login page that authenticate the user and his/her password
    > to the unix ssystem. what modules can i used to compare the unix
    > password with what the user typed in the cgi form? the password is
    > encrypted (shadowed) so i need to decrypt it first before comparing
    > to what the user typed.


    encrypted != shadowed. unix passwords are always encrypted, and
    cannot be decrypted (at least not easily).

    to check a password, encrypt the given password using the same salt,
    and check if you get the same result. see the second example on this
    page for an example:

    http://effbot.org/librarybook/crypt.htm

    if the password is shadowed, you need the right privileges, and the spwd
    module:

    http://www.python.org/dev/doc/devel/lib/module-spwd.html

    this is only available in development versions. to use it with an older
    version, you have to built it yourself. the source code is here:

    http://svn.python.org/view/python/trunk/Modules/spwdmodule.c

    </F>
     
    Fredrik Lundh, Nov 2, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    12
    Views:
    1,649
    Dave Thompson
    Jan 10, 2005
  2. Replies:
    18
    Views:
    625
    Dave Thompson
    Jan 10, 2005
  3. AAaron123
    Replies:
    2
    Views:
    2,188
    AAaron123
    Jan 16, 2009
  4. AAaron123
    Replies:
    1
    Views:
    1,345
    Oriane
    Jan 16, 2009
  5. Robert Wallace

    my own perl "dos->unix"/"unix->dos"

    Robert Wallace, Jan 21, 2004, in forum: Perl Misc
    Replies:
    7
    Views:
    281
    Michele Dondi
    Jan 22, 2004
Loading...

Share This Page