Marc Zucchelli on 20 Jan 2006 16:57:30 -0000 |
I am reinventing the wheel again, I am building a webhosting control panel, and I would like users to sign in with their FTP password. I am trying to figure out the best way of accomplishing this. 1. I could keep an updated md5 hash of their password in a database that I can authenticate against. 2. I could set /etc/shadow to use md5 and authenticate against that, this way the password hash will only be stored in one place, which is good. The only problem is that: echo "123456" | md5sum gives me: f447b20a7fcbf53a5d5be013ea0b15af But an md5 password of 123456 in /etc/shadow looks more like this: $1$IlxzSzzz$Iagtf0Kf88rsCAUXzUlKf1 How am I supposed to compare the two? I know I could set /etc/shadow to use DES and compare with perls crypt() function, but those DES passwords seem so tiny and insecure. 3. This brought me to PAM, I was skimming through the application developers guide and it seems like PAM INSISTS on 'prompting' the user for a password when _it_ wants to. The guide mentioned a conversation function for working with different protocols, but this all seems a bit much for a simple web application. I want to know if anyone had any thoughts on this, thanks! Marc __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|