user authentication via /etc/passwd|/etc/shadow

Discussion in 'Python' started by Marco Herrn, Apr 4, 2004.

  1. Marco Herrn

    Marco Herrn Guest

    Hi,

    I want to write a program where I authenticate users via the standard
    unix system accounts. I didn't find a module providing this
    functionality. Is there such a module available? If not, how can I
    achieve this?

    Marco

    --
    Marco Herrn
    (GnuPG/PGP-signed and crypted mail preferred)
    Key ID: 0x94620736
    Marco Herrn, Apr 4, 2004
    #1
    1. Advertising

  2. Marco Herrn wrote:
    > I want to write a program where I authenticate users via the standard
    > unix system accounts. I didn't find a module providing this
    > functionality. Is there such a module available? If not, how can I
    > achieve this?


    You need a combination of the pwd and crypt modules. Lookup the name
    of the user using the pwd module, and fetch the encrypted password.
    Then use crypt.crypt for encryption; use the first two letters of
    the encrypted password as the salt.

    Be aware that some installations use MD5 passwords, which can be
    recognized by starting with $1$ (or some such).

    Regards,
    Martin
    =?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=, Apr 4, 2004
    #2
    1. Advertising

  3. Marco Herrn

    Marco Herrn Guest

    On 2004-04-04, Martin v. Löwis <> wrote:
    > Marco Herrn wrote:
    >> I want to write a program where I authenticate users via the standard
    >> unix system accounts. I didn't find a module providing this
    >> functionality. Is there such a module available? If not, how can I
    >> achieve this?

    >
    > You need a combination of the pwd and crypt modules.

    It seems that the pwd module can only access /etc/passwd. If the
    passwords are stored in /etc/shadow, it doesn't work. Is there a way to
    access shadow passwords, too?

    Marco

    --
    Marco Herrn
    (GnuPG/PGP-signed and crypted mail preferred)
    Key ID: 0x94620736
    Marco Herrn, Apr 4, 2004
    #3
  4. Marco Herrn wrote:
    > It seems that the pwd module can only access /etc/passwd. If the
    > passwords are stored in /etc/shadow, it doesn't work. Is there a way to
    > access shadow passwords, too?


    No, support for shadow modules is currently not available. You might
    want to check out http://python.org/sf/579435 to see whether it helps
    you. Comments in this SF patch submission on the usability of the
    specific patch are appreciated.

    Regards,
    Martin
    =?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=, Apr 4, 2004
    #4
  5. Marco Herrn

    Dima Barsky Guest

    Dima Barsky, Apr 4, 2004
    #5
  6. Marco Herrn

    Marco Herrn Guest

    On 2004-04-04, Dima Barsky <> wrote:
    > Marco Herrn wrote:
    >
    >> I want to write a program where I authenticate users via the standard
    >> unix system accounts. I didn't find a module providing this
    >> functionality. Is there such a module available? If not, how can I
    >> achieve this?

    >
    > You can try the python-pam module:
    >
    > http://ftp.debian.org/debian/pool/main/p/python-pam/python-pam_0.4.2-10.1.tar.gz


    Thanks, I will try it.


    --
    Marco Herrn
    (GnuPG/PGP-signed and crypted mail preferred)
    Key ID: 0x94620736
    Marco Herrn, Apr 5, 2004
    #6
  7. Marco Herrn

    Marco Herrn Guest

    On 2004-04-04, Martin v. Löwis <> wrote:
    > You need a combination of the pwd and crypt modules. Lookup the name
    > of the user using the pwd module, and fetch the encrypted password.
    > Then use crypt.crypt for encryption; use the first two letters of
    > the encrypted password as the salt.
    >
    > Be aware that some installations use MD5 passwords, which can be
    > recognized by starting with $1$ (or some such).


    A question to this md5 and sha1 hashed passwords. The python modules for
    these are different to the crypt module. Especially there is no salt. So
    how would I compare a given password to a given hash? Just rehash the
    password? Would the hash always be the same? I thought the salt was
    there to improve security.

    And how can I distinguish a these hash methods? For example I have a
    hash. How do I find out which hash method was used for this? As I have
    seen md5 hashs are always 128 bit long. When I have such a hash in hex
    form, can I say if that hash string has a length of 32 it is definitely
    a md5 hash, a length of 40 indicating a sha hash and a length of 13
    indicating a crypt() hash?
    And what about the prefix $1$ for md5? When this is available just cut
    it off the hash? Are there any other forms of such prefixes?

    Sorry for this lot of questions. ;-)
    Marco


    --
    Marco Herrn
    (GnuPG/PGP-signed and crypted mail preferred)
    Key ID: 0x94620736
    Marco Herrn, Apr 6, 2004
    #7
  8. According to Marco Herrn <>:
    > And what about the prefix $1$ for md5? When this is available just cut
    > it off the hash?


    Yes, don't hash it.

    > Are there any other forms of such prefixes?


    $ uname
    FreeBSD

    $ man 3 crypt
    [...]
    Modular crypt:
    If the salt begins with the string $digit$ then the Modular Crypt Format
    is used. The digit represents which algorithm is used in encryption.
    Following the token is the actual salt to use in the encryption. The
    length of the salt is limited to 8 characters--because the length of the
    returned output is also limited (_PASSWORD_LEN). The salt must be termi-
    nated with the end of the string (NULL) or a dollar sign. Any characters
    after the dollar sign are ignored.

    Currently supported algorithms are:

    1. MD5
    2. Blowfish

    I believe this $digit$ convention was invented by the BSDs.

    Cheers.


    --
    Ng Pheng Siong <>

    http://firewall.rulemaker.net -+- Firewall Change Management & Version Control
    http://sandbox.rulemaker.net/ngps -+- ZServerSSL/Zope Windows Installers
    Ng Pheng Siong, Apr 9, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kempniu
    Replies:
    1
    Views:
    521
    Jason A. Crome
    Feb 3, 2004
  2. Robin Cull
    Replies:
    5
    Views:
    393
    Andrew Dalke
    Jul 31, 2003
  3. Iván Cabria
    Replies:
    0
    Views:
    293
    Iván Cabria
    Nov 4, 2004
  4. Kempniu
    Replies:
    3
    Views:
    243
    Josef Möllers
    Feb 2, 2004
  5. Replies:
    4
    Views:
    168
    John W. Krahn
    Aug 3, 2005
Loading...

Share This Page