Date: Wed, 11 Nov 1998 16:14:07 -0500 From: "Matthew R. Heusser" <matt@pcr7.pcr.com> To: <freebsd-questions@FreeBSD.ORG> Subject: Help! Password Compares in FreeBSD Message-ID: <004601be0db8$e47578c0$47eb1bcc@XSTA71.pcr.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hello!
This is a question about validating passwords over
the web via CGI, but I think any FreeBSD systems
expert should be able to figure it out w/o knowing
perl or CGI. Here goes ...
Right now, I have a HTML page running on a FreeBSD
server. The HTML page accepts a username and password,
and then calls a perl (CGI) process. The perl process finds
the /etc/passwd file and parses it, searching for the username.
When it finds the username, it grabs the encrypted password.
It then takes the 'guess' password, and crypts it as follows -
$stringCipher = crypt($stringGuess, $stringTemp)
(Where $temp is the first two characters of the encrypted password)(*)
Then the following is executed: (psuedo code)
If stringCipher equals stringCryptedPassword
do_stuff
else
error_message
The code works fine under AIX, but bombs under FreeBSD.
(*) - The crypt-style is MD5, so I'm not sure If I should grab the first
two characters of the encrypted password, as they all start "$1$"
-- I got the idea from "Programming Perl" under "Crypt", pas 153. I've
searched through "Perl CGI Programming", "Learning Perl", "An intro
to Berkley Unix", "Unix Admin. Guide for System V", as well as
CGI FAQ, CGI-Security FAQ, and FreeBSD on-line docs. My conclusion
is that the problem is OS or crypt-library specific (since if works on AIX)
any ideas? if you could respond by e-mail (matt@pcr7.pcr.com) that
would be greatly appreciated.
thanks,
/*---------------------------------------------------------------------*/
Matthew R. Heusser, PCR Inc.
E-mail: <Matt@pcr7.pcr.com>
Phone: (616)-554-1036
/*---------------------------------------------------------------------*/
[-- Attachment #2 --]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content=text/html;charset=iso-8859-1 http-equiv=Content-Type>
<META content='"MSHTML 4.72.3110.7"' name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT color=#000000 size=2>Hello!</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#000000 size=2>This is a question about validating passwords
over</FONT></DIV>
<DIV><FONT color=#000000 size=2></FONT><FONT size=2>the web via CGI, but I think
any FreeBSD systems </FONT></DIV>
<DIV><FONT size=2>expert should be able to figure it out w/o
knowing</FONT></DIV>
<DIV><FONT size=2>perl or CGI. Here goes ...</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Right now, I have a HTML page running on a
FreeBSD</FONT></DIV>
<DIV><FONT size=2>server. The HTML page accepts a username and
password,</FONT></DIV>
<DIV><FONT size=2>and then calls a perl (CGI) process. The perl process
finds</FONT></DIV>
<DIV><FONT size=2>the /etc/passwd file and parses it, searching for the
username.</FONT></DIV>
<DIV><FONT size=2>When it finds the username, it grabs the encrypted
password.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#000000 size=2>It then takes the 'guess' password, and crypts
it as follows -</FONT></DIV>
<DIV><FONT color=#000000 size=2></FONT> </DIV>
<DIV><FONT size=2>$stringCipher = crypt($stringGuess, $stringTemp) </FONT></DIV>
<DIV><FONT size=2> (Where $temp is the first two characters of the
encrypted password)(*)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#000000 size=2>Then the following is executed: (psuedo
code)</FONT></DIV>
<DIV><FONT color=#000000 size=2> If stringCipher equals
stringCryptedPassword </FONT></DIV>
<DIV><FONT color=#000000 size=2> do_stuff</FONT></DIV>
<DIV><FONT color=#000000 size=2> else</FONT></DIV>
<DIV><FONT color=#000000 size=2>
error_message</FONT></DIV>
<DIV><FONT color=#000000 size=2></FONT> </DIV>
<DIV><FONT color=#000000 size=2> The code works fine under AIX, but bombs
under FreeBSD.</FONT></DIV>
<DIV><FONT color=#000000 size=2></FONT><FONT size=2> (*) - The crypt-style
is MD5, so I'm not sure If I should grab the first</FONT></DIV>
<DIV><FONT size=2> two characters of the encrypted password, as they all
start "$1$"</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#000000 size=2> -- I got the idea from "Programming
Perl" under "Crypt", pas 153. I've</FONT></DIV>
<DIV><FONT color=#000000 size=2></FONT><FONT size=2>searched through "Perl
CGI Programming", "Learning Perl", "An intro</FONT></DIV>
<DIV><FONT size=2>to Berkley Unix", "Unix Admin. Guide for
System V", as well as</FONT></DIV>
<DIV><FONT size=2>CGI FAQ, CGI-Security FAQ, and FreeBSD on-line docs. My
conclusion</FONT></DIV>
<DIV><FONT size=2>is that the problem is OS or crypt-library specific (since if
works on AIX)</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2> any ideas? if you could respond by e-mail
(<A href="mailto:matt@pcr7.pcr.com">matt@pcr7.pcr.com</A>) that </FONT></DIV>
<DIV><FONT size=2>would be greatly appreciated.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>thanks,</FONT></DIV>
<DIV><FONT color=#000000 size=2></FONT><FONT size=2> </FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT color=#000000
size=2>/*---------------------------------------------------------------------*/<BR>Matthew
R. Heusser, PCR Inc.<BR>E-mail: <<A
href="mailto:Matt@pcr7.pcr.com">Matt@pcr7.pcr.com</A>>
<BR>Phone: (616)-554-1036
<BR>/*---------------------------------------------------------------------*/</FONT></DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004601be0db8$e47578c0$47eb1bcc>