Date: Sun, 16 Aug 2020 11:13:42 +0000 From: Grzegorz Junka <list1@gjunka.com> To: Polytropon <freebsd@edvax.de> Cc: freebsd-questions@freebsd.org Subject: Re: Verify user password Message-ID: <6d41a8e6-40a0-26d5-b7b9-b8adabd904d4@gjunka.com> In-Reply-To: <20200815204911.7007deca.freebsd@edvax.de> References: <af84bcef-ceff-4d7f-b012-3ef06e0ed5ec@gjunka.com> <20200815204911.7007deca.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 15/08/2020 18:49, Polytropon wrote: > On Sat, 15 Aug 2020 12:39:06 +0000, Grzegorz Junka wrote: >> How can I verify if a given password matches the password stored in >> master.passwd database for a user account that is set up with >> /nonexistent and /usr/sbin/nologin (so a user that can't normally login >> to the system but still can have a password stored in the database)? > First of all, /nonexistent and /usr/sbin/nologin have different > purposes: if after a successful login the user's interactive shell > is to be executed, /nonexistent leads to a "cannot find that program > to execute, exiting right now" situation, while /usr/sbin/nologin > can actually be executed and then displays an error message and > exits, terminating the session. > > See "man 1 login" and "man 1 nologin" for details. > > Regarding password verification: > > If you have read access to /etc/master.passwd and the clear text > password of a user, you can use the crypt() function to generate > the encrypted password, and then compare that. I think that is > what you try to do, correct? > > provided: plain-text password P from somewhere > encrypted password E from /etc/master.passwd > > intended: is crypt(P) == E? > > approach: P' = crypt(P) > test if P' == S > > This is of course very simplified. :-) > > See "man 5 passwd" and especially "man 3 crypt" for details. > Yes, the intention is that the user only has an entry in the master.passwd file (so that sendmail service can verify the password against an entry there). It should not be possible for the user to login (meaning, they should not be able to open an interactive session as that user). I did found some manuals that explain how to generate the password, especially when using different hashing than the default one and store such password in the master.passwd. That could work, I just hoped that there is a command line utility that is able to verify the password in the same way the system or any service would do without the trickery of fetching the password from master.passwd, verifying the encryption scheme, encrypting the password with the same scheme, then finally testing if they are the same. Thanks Grzegorz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6d41a8e6-40a0-26d5-b7b9-b8adabd904d4>