Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 11 Sep 1998 21:06:35 -0500
From:      Jon Hamilton <hamilton@pobox.com>
To:        Roman Katsnelson <romank@graphnet.com>
Cc:        "q's" <freebsd-questions@FreeBSD.ORG>
Subject:   Re: manual password encryption 
Message-ID:  <199809120202.TAA12951@hub.freebsd.org>
In-Reply-To: Your message of "Fri, 11 Sep 1998 10:59:17 EDT." <35F93AC5.479E89D5@graphnet.com> 

next in thread | previous in thread | raw e-mail | index | archive | help

In message <35F93AC5.479E89D5@graphnet.com>, Roman Katsnelson wrote:
} Hi,
} 
} I would like to be able to verify user privileges with a web GUI.
} Instead of keeping a separate file with unencrypted passwords, though, I
} just wanna be able to verify them from passwd, for example:
} 
} the $QUERY_STRING is blah.cgi?name=johnny&pwd=bgoode

You've just left the user's password displayed in the URL portion of their
browser (most likely), and it gets even worse if they bookmark the URL.
If you care about this, you should consider at least using a POST instead
of a GET.

} I wanna match this to:
} 
} grep -e "$name" /etc/passwd | cut -d":" -f1 # will yield user name
} grep -e "$name" /etc/passwd | cut -d":" -f2 # will yield password

You're in for a world of hurt doing that - it's sort of the right idea,
but what happens when "bobette" exists as a user and is listed earlier in
your password file than "bob"?  When you grep for bob, you'll get both.
Worse, your grep will match anywhere in the password file, including the
GECOS field, which is often user-changable via chfn.  You'll probably want
to be considerably more careful about parsing the password file.  You won't
be able to just look in the passwd file on a system that does NIS or shadow
passwords, though; the encrypted passwords may not be available to unprivileged 
users at all.

} can I manually encrypt the value of $pwd in the above example so that it
} matches the grep | cut output?

Assuming that you can get to the encrypted password, yes.  You can do so 
using crypt() in a C program, or you can use perl, or even a standalone 
crypt(1) program (FreeBSD doesn't seem to have one, though many UNIX variants 
do, and it'd be easy enough to find or roll one of your own.  If you need help 
with the nuts and bolts, I'll be happy to help you via private email, but 
there are a number of potential problems that stem from doing the kind of 
thing you're talking about.

-- 
   Jon Hamilton  
   hamilton@pobox.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809120202.TAA12951>