[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Test user password against a known value

From: "Peter Kiem" <zordah zordah net>
To: <redhat-list redhat com>
Subject: Re: Test user password against a known value
Date: Thu Feb 28 01:18:01 2002

Hi Cameron,

> does it for old style crypt() passwords. There should be equivalent code
> for the MD5 stuff. The only thing you've missed is that most of these
> things use a salt, kept with the hash, to make sure that if two people
> have the same password, their hashes _aren't_ the same.

I've been trying out this script I found on the net (with a couple of lines I 
added for debug).  It is supposed to list all users found with a password 
that matches the first parameter.

#!/usr/bin/perl -w
#test a plain text password. If no login is provided, returns
#the logins of users with that password, and false if no match?
#If a login is provided, returns true if the password
#is the password of that login, false and a warning if user not existing
#or the password is x, and a warning if the account is disabled.

use lib "/usr/lib/perl5/site_perl/5.6.0";
use Crypt::PasswdMD5;

unless (@ARGV){print STDERR "usage:$0 [passwd] [login]\n"; die}
my $passwd=shift;
my $login="";
if (@ARGV){
        $login=shift @ARGV;
}
my @result=();
my @ passwdEntry = ();
my ($user,$pwd);
while (($user, $pwd) = getpwent){
  $enc = Crypt::PasswdMD5::unix_md5_crypt($passwd,$pwd);
  print "$user, $pwd, $enc\n";
        if ($login and ($login eq $user)){
                if ($pwd eq 'x'){
                        print STDERR "you have no access to the password\n";
                        exit 1;
                }
                if ($pwd =~ s/^\!//){
                        print STDERR "warning: account locked\n";
                }
                exit  (! (Crypt::PasswdMD5::unix_md5_crypt($passwd,$pwd) eq 
$pwd)) ;
        }
        elsif ((! $login) and (Crypt::PasswdMD5::unix_md5_crypt($passwd,$pwd) 
eq $pwd))
                {
   print "success\n";
                push @result, $user;
        }
}
if ($login){print STDERR "No such login name: $login\n";}
if (@result){print "@result\n";}
exit ! (@result);


and I am getting output like:
user1, z3Lu.fGQIIKz2, $1$z3Lu.fGQ$yrlYizBt7HUDqmJq5dXNC1
user2, 0pF2M.FIukAWo, $1$0pF2M.FI$XYSqmC0jTzXoUY5dtHpz5/
user3, OMyao/at64nVk, $1$OMyao/at$WIQwz4g28Qs5GbakAps1s/

The result returned from Crypt::PasswdMD5::unix_md5_crypt is much longer than 
the $pwd variable returned by getpwent.  The 8 chars between the 2nd and 3rd 
$ are ALWAYS equal to the $pwd variable.

Any ideas how to proceed from here?

-- 
Regards,
+-----------------------+---------------------------------+
| Peter Kiem            | E-Mail    : <zordah zordah net> |
| Zordah IT             | Mobile    : +61 0414 724 766    |
|   IT Consultancy &    | WWW       : www.zordah.net      |
|   Internet Hosting    | ICQ       : "Zordah" 866661     |
+-----------------------+---------------------------------+

References:
- Re: Test user password against a known value
  - From: Cameron Simpson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]