Michael C. Toren on 20 Jan 2006 18:00:16 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Programmers: PAM Authentication through a web application?

On Fri, Jan 20, 2006 at 08:57:00AM -0800, Marc Zucchelli wrote:
> I know I could set /etc/shadow to use DES and compare with perls crypt()
> function, but those DES passwords seem so tiny and insecure.

Don't concern yourself with if a user's crypted password was computed
using DES or MD5 -- crypt(3) will handle both, depending upon which salt
you feed it.  For example, to authenticate both DES and MD5 passwords in
the /etc/shadow file:

	my $user = ...;  # user supplied
	my $pass = ...;  # user supplied

	my $shadow = (getpwnam $user)[1] || "!!";
	die "Nope\n" unless (crypt($pass, $shadow) eq $shadow);
	print "Okay\n";

Ofcourse, you must be root in order to read the crypted passwords from
/etc/shadow.  Otherwise, every attempt will silently fail.

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug