how to check for unix password
Magnus Lycka
lycka at carmen.se
Wed Nov 2 11:23:58 EST 2005
eight02645999 at yahoo.com wrote:
> hi
> i created a login page that authenticate the user and his/her password
> to the unix ssystem. what modules can i used to compare the unix
> password with what the user typed in the cgi form? the password is
> encrypted (shadowed) so i need to
That's not the same thing. Unix passwords are always hashed (encrypted
if you like), but shadowing means that the hashed password isn't visible
in the /etc/passwd file (this file is readable to anyone logged into the
system) but stored in a shadow file which is only available to
administrators.
> decrypt it first before comparing to what the user typed. or this
> cannot be done at all?
No. This is done with a one-way encryption algorithm, it shouldn't
be possible to decrypt the password hashes without a time consuming
brute force attack. That's not how the authentication works.
What you should do is to encrypt the user supplied password with the
same algorithm and salt as the Unix system uses, and compare the
hashes.
Another option is to simply run some program that tries to log in
the user on the unix box and see if that goes well.
If you really use shadow passwords, and can't run as root on the
system, manual comparision with the password hash is not an option.
For another alternative, see
http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/203610
If POP won't help you, I'm sure you might think of similar approaches,
telnetlib or ftplib might prove helpful.
More information about the Python-list
mailing list