08-11-2006, 06:54 AM
|
|
Newbie
|
|
Join Date: Jul 2006
Posts: 12
|
|
Linux user passwords and PHP
Hi all, I would like to know if it is possible to generate a hash, with php, of a password that a user inputs via a form, in a format compatible with linux user passwords. The purpose of this would be to compare the two strings to see if they match. So far, hashing with md5 and des produce to different strings than the ones in /etc/shadow
Thanks in advance!
|
08-11-2006, 11:12 AM
|
|
Web Hosting Master
|
|
Join Date: Mar 2006
Posts: 961
|
|
The encryption method is being handled differently, between the web and linux, to avoid security issues. For instance, you wish to use the OS's encryption method and wish to put it on the web. That would be one of the most unrecommended procedure, since a hacker could, techincly, discover the encryption type and method and could return disastrous results towards your linux server.
Which is why, for higher protection, it is recommended to use the encryption modules from PHP, (in this case), for safety measures. 
|
08-15-2006, 12:05 PM
|
|
Web Hosting Master
|
|
Join Date: Dec 2002
Posts: 1,300
|
|
Quote:
|
The encryption method is being handled differently, between the web and linux, to avoid security issues.
|
No, thats not why.
Quote:
|
Which is why, for higher protection, it is recommended to use the encryption modules from PHP, (in this case), for safety measures.
|
No, wrong again.
The problem here is that you want to give an unprivileged web user (all users on a website should be considered that way) access to your /etc/shadow file. In case you arent sure why this is a horrible idea, google for the reasons for creating a shadow file instead of just putting the hash into /etc/passwd - all unixes used to do this a long time ago.
You should consider other ways to accomplish your task. An idea:
Have a shell script running from cron as root to monitor a folder that your php script has writable access to. You will have to check in both scripts that root password cannot be changed this way, and you have to otherwise lock it down so that only your intended user or users can have their passwords changed this way.
So, your webapp will write a file to this folder that contains the username and hashed password for the user whose password you want to change.
This system still has huge issues, but is still better than opening up your shadow file.
__________________
"The only difference between a poor person and a rich person is what they do in their spare time."
"If youth is wasted on the young, then retirement is wasted on the old"
|
08-16-2006, 07:26 PM
|
|
Web Hosting Master
|
|
Join Date: Dec 2004
Location: New York City, NY, USA
Posts: 735
|
|
I'm not sure whether you (the OP) wanted to be able to change passwords or not, but a common way to authenticate against the system (that is easy to do from PHP) is to use IMAP.
You run an IMAP server on your machine that has access to /etc/passwd and /etc/shadow, and make sure it is locked down. Your PHP script then tries to login into this IMAP server and monitors whether the login was successful or not.
|
08-16-2006, 08:21 PM
|
|
Engineer
|
|
Join Date: Jan 2005
Location: Scotland, UK
Posts: 2,380
|
|
Hello,
You can genereate the passwords using the crypt() function however you will not be able to match like that due to the different salts.
-Scott
__________________
Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. Keep your servers online.
United Kingdom: *0800 8620073* // United States: *585 563 1729* // Australia: *02 9037 2448* // International: *+44.1412800134*
Scott Mcintyre
|
08-17-2006, 03:29 AM
|
|
Newbie
|
|
Join Date: Jul 2006
Posts: 12
|
|
Hi all
Still on summer vacations
I've considered the security implications of this scheme and for my purpose and with the security measures that will be in place, I believe they are acceptable.
Scott, I also tried using crypt(), I saw the different results and I also attributed them to what you mentioned, ie the different salts.
Now this might be more proper on a linux forum but how does linux manage the logins without knowing the salts? Would it be possible to interface php to login? I have already managed to authenticate users via php and pam but that doesn't help me with the actually comparing the password given with the one stored. The ultimate goal would be for users (after authentication etc etc) to be able to change their system passwords.
|
08-18-2006, 07:36 AM
|
|
WHT Addict
|
|
Join Date: Sep 2002
Location: NYC
Posts: 120
|
|
The salt is the first two characters of the resulting crypted string the way linux encrypts passwords. So to validate a password you re-crypt it with the crypted password and compare the result to the crypted password. The problem of course is that you can't get at /etc/shadow (where the cyrpted passwords live) unless you are root.
From a PHP script I would use one of the two suggestions outlined by other posters which was to use other services (IMAP, FTP, SSH) to validate it or to store the password in file and let a cron do the job. If you use the 2nd method you want to be running phpsuexec since you don't want to leave passwords sitting around in a world writeable file if you are in a shared hosting environment.
I have never tried it but the SSH method looks promising.
http://us2.php.net/manual/ar/function.ssh2-connect.php
You need to have libssh2 and openssl compiled in for this.
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
