Date: Fri, 11 Sep 1998 08:53:24 -0700 (PDT) From: David Wolfskill <dhw@whistle.com> To: freebsd-questions@FreeBSD.ORG, romank@graphnet.com Subject: Re: manual password encryption Message-ID: <199809111553.IAA03477@pau-amma.whistle.com> In-Reply-To: <35F93AC5.479E89D5@graphnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>Date: Fri, 11 Sep 1998 10:59:17 -0400
>From: Roman Katsnelson <romank@graphnet.com>
>I would like to be able to verify user privileges with a web GUI.
>Instead of keeping a separate file with unencrypted passwords, though, I
>just wanna be able to verify them from passwd, for example:
>the $QUERY_STRING is blah.cgi?name=johnny&pwd=bgoode
>I wanna match this to:
>grep -e "$name" /etc/passwd | cut -d":" -f1 # will yield user name
>grep -e "$name" /etc/passwd | cut -d":" -f2 # will yield password
>can I manually encrypt the value of $pwd in the above example so that it
>matches the grep | cut output?
Basically, you *could*, except that:
* Normally, in a FreeBSD system, the "encrypted password" field of
/etc/passwd doesn't actually have a password (encrypted or otherwise)
in it. Thus, although the technique you sketched (assuming that you
use the 1st 2 characters of the encrypted password as the "salt" for
encrypting the given (plain-text) password for comparing against the
encrypted password) will work, given access to the encrypted password,
the encrypted password isn't where you're looking.
* The encrypted password is saved in /etc/master.passwd -- maybe.
(Actually, from what I understand, /etc/master.passwd is the "master"
from which both /etc/passwd and /etc/{s,}pwd.db are *generated*. So
you might be able to access /etc/spwd.db or /etc/master.passwd, though
either would require root access privileges or that you reduce the
security of the system to a level that is probably neither desireable
nor warranted.
The "maybe" up there is because it is not necessarily the case that a
"local user" has an entry in /etc/master.passwd & friends -- consider,
for example, NIS ("yp"). In such a case, rather than grepping through
/etc/master.passwd, the analogue is grepping through the output of
"ypcat master.passwd" -- and similarly (by default) requires root
access privs.
You might consider setting up a small, highly abuse-resistant
setuid-root program that could be invoked in a way such that it would
exit with a 0 return code if the specified password matched the one for
the user in question, and non-zero otherwise. Among the less obvious
considerations might be a way to prevent too-frequent accesses to the
program from any single "source" (to reduce the extent to which it might
be used as a means of accomplishing a brute-force password cracking
attempt). Providing a secure means of passing the password to the
program may also be non-trivial, depending mostly on your paranoia level.
(And when dealing with security, paranoia is not necessarily a Bad
Thing.)
david
--
David Wolfskill UNIX System Administrator
dhw@whistle.com voice: (650) 577-7158 pager: (650) 371-4621
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809111553.IAA03477>