user authentication via /etc/passwd|/etc/shadow

[Marco Herrn]

Hi,

I want to write a program where I authenticate users via the standard
unix system accounts. I didn't find a module providing this
functionality. Is there such a module available? If not, how can I
achieve this?

Marco

 

[=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=]

I want to write a program where I authenticate users via the standard
unix system accounts. I didn't find a module providing this
functionality. Is there such a module available? If not, how can I
achieve this?

You need a combination of the pwd and crypt modules. Lookup the name
of the user using the pwd module, and fetch the encrypted password.
Then use crypt.crypt for encryption; use the first two letters of
the encrypted password as the salt.

Be aware that some installations use MD5 passwords, which can be
recognized by starting with $1$ (or some such).

Regards,
Martin

 

[Marco Herrn]

You need a combination of the pwd and crypt modules.

It seems that the pwd module can only access /etc/passwd. If the
passwords are stored in /etc/shadow, it doesn't work. Is there a way to
access shadow passwords, too?

Marco

 

[=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=]

It seems that the pwd module can only access /etc/passwd. If the
passwords are stored in /etc/shadow, it doesn't work. Is there a way to
access shadow passwords, too?

No, support for shadow modules is currently not available. You might
want to check out http://python.org/sf/579435 to see whether it helps
you. Comments in this SF patch submission on the usability of the
specific patch are appreciated.

Regards,
Martin

 

[Dima Barsky]

I want to write a program where I authenticate users via the standard
unix system accounts. I didn't find a module providing this
functionality. Is there such a module available? If not, how can I
achieve this?

You can try the python-pam module:

http://ftp.debian.org/debian/pool/main/p/python-pam/python-pam_0.4.2-10.1.tar.gz

Regards,
Dima.

 

[Marco Herrn]

You can try the python-pam module:

http://ftp.debian.org/debian/pool/main/p/python-pam/python-pam_0.4.2-10.1.tar.gz

Thanks, I will try it.

 

[Marco Herrn]

You need a combination of the pwd and crypt modules. Lookup the name
of the user using the pwd module, and fetch the encrypted password.
Then use crypt.crypt for encryption; use the first two letters of
the encrypted password as the salt.

Be aware that some installations use MD5 passwords, which can be
recognized by starting with $1$ (or some such).

A question to this md5 and sha1 hashed passwords. The python modules for
these are different to the crypt module. Especially there is no salt. So
how would I compare a given password to a given hash? Just rehash the
password? Would the hash always be the same? I thought the salt was
there to improve security.

And how can I distinguish a these hash methods? For example I have a
hash. How do I find out which hash method was used for this? As I have
seen md5 hashs are always 128 bit long. When I have such a hash in hex
form, can I say if that hash string has a length of 32 it is definitely
a md5 hash, a length of 40 indicating a sha hash and a length of 13
indicating a crypt() hash?
And what about the prefix $1$ for md5? When this is available just cut
it off the hash? Are there any other forms of such prefixes?

Sorry for this lot of questions. ;-)
Marco

 

[Ng Pheng Siong]

And what about the prefix $1$ for md5? When this is available just cut
it off the hash?

Yes, don't hash it.

Are there any other forms of such prefixes?

$ uname
FreeBSD

$ man 3 crypt
[...]
Modular crypt:
If the salt begins with the string $digit$ then the Modular Crypt Format
is used. The digit represents which algorithm is used in encryption.
Following the token is the actual salt to use in the encryption. The
length of the salt is limited to 8 characters--because the length of the
returned output is also limited (_PASSWORD_LEN). The salt must be termi-
nated with the end of the string (NULL) or a dollar sign. Any characters
after the dollar sign are ignored.

Currently supported algorithms are:

1. MD5
2. Blowfish

I believe this $digit$ convention was invented by the BSDs.

Cheers.