Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Python (http://www.velocityreviews.com/forums/f43-python.html)
-   -   how to check for unix password (http://www.velocityreviews.com/forums/t350943-how-to-check-for-unix-password.html)

eight02645999@yahoo.com 11-02-2005 10:30 AM

how to check for unix password
 
hi
i created a login page that authenticate the user and his/her password
to the unix ssystem. what modules can i used to compare the unix
password with what the user typed in the cgi form? the password is
encrypted (shadowed) so i need to
decrypt it first before comparing to what the user typed. or this
cannot be done at all?
thanks


bonono@gmail.com 11-02-2005 10:57 AM

Re: how to check for unix password
 
complicated issue. There is lots of authentication sub system that may
be in use(PAM, LDAP, Kerberos, /etc/shadow etc.). Each has a different
way. If it is linux, I think you should shoot for PAM, for other unix
system I have no idea.
/etc/passwd is a one way hash, you need the user submit the plain text
equivalent(better use SSL) then compute and compare.

However, if this is web page, I believe it would be better to use the
apache2 module which has relatively good integration with the
authentication system.

eight02645999@yahoo.com wrote:
> hi
> i created a login page that authenticate the user and his/her password
> to the unix ssystem. what modules can i used to compare the unix
> password with what the user typed in the cgi form? the password is
> encrypted (shadowed) so i need to
> decrypt it first before comparing to what the user typed. or this
> cannot be done at all?
> thanks



Mike Meyer 11-02-2005 02:35 PM

Re: how to check for unix password
 
eight02645999@yahoo.com writes:
> i created a login page that authenticate the user and his/her password
> to the unix ssystem. what modules can i used to compare the unix
> password with what the user typed in the cgi form? the password is
> encrypted (shadowed) so i need to
> decrypt it first before comparing to what the user typed. or this
> cannot be done at all?


As has already been pointed out, users authenticate to Unix systems
with a lot more than passwords.

Also, it's not a good idea to make a web page use a system
password. Web page passwords tend to be poorly protected.

Finally, you can't decrypt a Unix password file password. The
algorithm is to encrypt what the user typed (with crypt.crypt) then
compare that with the entry in the password file. You pass crypt.crypt
the user-entered pasword as the first argument, and the password from
the password file as the second, and compare the returned value to the
password from the password file.

<mike
--
Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

Magnus Lycka 11-02-2005 04:23 PM

Re: how to check for unix password
 
eight02645999@yahoo.com wrote:
> hi
> i created a login page that authenticate the user and his/her password
> to the unix ssystem. what modules can i used to compare the unix
> password with what the user typed in the cgi form? the password is
> encrypted (shadowed) so i need to


That's not the same thing. Unix passwords are always hashed (encrypted
if you like), but shadowing means that the hashed password isn't visible
in the /etc/passwd file (this file is readable to anyone logged into the
system) but stored in a shadow file which is only available to
administrators.

> decrypt it first before comparing to what the user typed. or this
> cannot be done at all?


No. This is done with a one-way encryption algorithm, it shouldn't
be possible to decrypt the password hashes without a time consuming
brute force attack. That's not how the authentication works.

What you should do is to encrypt the user supplied password with the
same algorithm and salt as the Unix system uses, and compare the
hashes.

Another option is to simply run some program that tries to log in
the user on the unix box and see if that goes well.

If you really use shadow passwords, and can't run as root on the
system, manual comparision with the password hash is not an option.

For another alternative, see
http://aspn.activestate.com/ASPN/Coo.../Recipe/203610
If POP won't help you, I'm sure you might think of similar approaches,
telnetlib or ftplib might prove helpful.

Fredrik Lundh 11-02-2005 05:00 PM

Re: how to check for unix password
 
eight02645999@yahoo.com wrote:

> i created a login page that authenticate the user and his/her password
> to the unix ssystem. what modules can i used to compare the unix
> password with what the user typed in the cgi form? the password is
> encrypted (shadowed) so i need to decrypt it first before comparing
> to what the user typed.


encrypted != shadowed. unix passwords are always encrypted, and
cannot be decrypted (at least not easily).

to check a password, encrypt the given password using the same salt,
and check if you get the same result. see the second example on this
page for an example:

http://effbot.org/librarybook/crypt.htm

if the password is shadowed, you need the right privileges, and the spwd
module:

http://www.python.org/dev/doc/devel/...dule-spwd.html

this is only available in development versions. to use it with an older
version, you have to built it yourself. the source code is here:

http://svn.python.org/view/python/tr...s/spwdmodule.c

</F>





All times are GMT. The time now is 01:08 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.