From owner-freebsd-questions Fri Sep 11 19:02:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA12959 for freebsd-questions-outgoing; Fri, 11 Sep 1998 19:02:33 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from pobox.com (indobok-125.mdm.mkt.execpc.com [169.207.82.125]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id TAA12951 for ; Fri, 11 Sep 1998 19:02:31 -0700 (PDT) (envelope-from hamilton@pobox.com) Message-Id: <199809120202.TAA12951@hub.freebsd.org> Received: (qmail 18889 invoked from network); 11 Sep 1998 21:06:35 -0500 Received: from localhost (HELO pobox.com) (127.0.0.1) by localhost with SMTP; 11 Sep 1998 21:06:35 -0500 To: Roman Katsnelson cc: "q's" Subject: Re: manual password encryption In-reply-to: Your message of "Fri, 11 Sep 1998 10:59:17 EDT." <35F93AC5.479E89D5@graphnet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 11 Sep 1998 21:06:35 -0500 From: Jon Hamilton Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <35F93AC5.479E89D5@graphnet.com>, Roman Katsnelson wrote: } Hi, } } I would like to be able to verify user privileges with a web GUI. } Instead of keeping a separate file with unencrypted passwords, though, I } just wanna be able to verify them from passwd, for example: } } the $QUERY_STRING is blah.cgi?name=johnny&pwd=bgoode You've just left the user's password displayed in the URL portion of their browser (most likely), and it gets even worse if they bookmark the URL. If you care about this, you should consider at least using a POST instead of a GET. } I wanna match this to: } } grep -e "$name" /etc/passwd | cut -d":" -f1 # will yield user name } grep -e "$name" /etc/passwd | cut -d":" -f2 # will yield password You're in for a world of hurt doing that - it's sort of the right idea, but what happens when "bobette" exists as a user and is listed earlier in your password file than "bob"? When you grep for bob, you'll get both. Worse, your grep will match anywhere in the password file, including the GECOS field, which is often user-changable via chfn. You'll probably want to be considerably more careful about parsing the password file. You won't be able to just look in the passwd file on a system that does NIS or shadow passwords, though; the encrypted passwords may not be available to unprivileged users at all. } can I manually encrypt the value of $pwd in the above example so that it } matches the grep | cut output? Assuming that you can get to the encrypted password, yes. You can do so using crypt() in a C program, or you can use perl, or even a standalone crypt(1) program (FreeBSD doesn't seem to have one, though many UNIX variants do, and it'd be easy enough to find or roll one of your own. If you need help with the nuts and bolts, I'll be happy to help you via private email, but there are a number of potential problems that stem from doing the kind of thing you're talking about. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message