Re: Authenticate a User.
- From: Kasper Dupont <kasperd@xxxxxxxxxxx>
- Date: Sun, 04 Dec 2005 02:53:29 +0100
Lars Kellogg-Stedman wrote:
>
> > It is no surprise to get an x in this field when the program
> > is not running as root. However it does come as a surprise to
> > me that it does not even handle shadow passwords when running
> > as root.
>
> This is the point I have been trying to get across. You *cannot* depend
> on getpwnam() + crypt for password information. getpwnam() returns
> entries from /etc/passwd, which on most modern systems doesn't actually
> contain crypted passwords.
I believe the correct solution would be that getpwnam returned
the information from /etc/shadow on systems where that is
supported. I don't have access to the posix standard, but if
it makes any sense, then the way getpwnam is currently
implemented on Linux couldn't be compliant.
>
> If you want to support shadow passwords, take a look at the "Linux
> shadow password HOWTO", part of the Linux Documentation Project:
>
> http://www.tldp.org/HOWTO/Shadow-Password-HOWTO.html
>
> In particular:
>
> http://www.tldp.org/HOWTO/Shadow-Password-HOWTO-8.html
>
> Using something like PAM means you get a single, consistent interface to
> work with regardless of what the system is using for authentication.
> It's *not* available everywhere, but it's available on Linux, OS X,
> Solaris, FreeBSD, NetBSD, and elsewhere.
But an application intended to be portable cannot rely on pam
being present.
>
> > That is because the salt may be longer than 2 characters.
>
> Well, maybe. This is true if you're using the MD5 version of crypt,
> which is triggered if you pass it a salt starting with '$1$', in which
> case the salt can be up to eight characters.
That is why I said the salt *may* be longer. It is not always
the case, but if it fails when you use only the first two chars,
then a longer salt is obviously a possible explanation. Many
systems now use MD5 based passwords by default, which always use
more than two chars in the salt.
>
> Non-md5 passwords only have a two-character salt.
DES based passwords only have a two character salt. Currently I
only know about DES based and MD5 based passwords, but in the
future others may be introduced which are most likely going to
use a longer salt just like MD5. The number between the first
two $ signs is used to indicate what kind of algorithm was used.
Maybe some day $2$ in the start of the string will be used to
indicate SHA512 based passwords. And only crypt would need to be
changed in order to support that as well (though you would
probably want to change the password change program as well to
generate passwords using the new kind of salt).
>
> As you mentioned, using the original password as a salt will always do
> the right thing.
Which is why I advice doing it that way.
--
Kasper Dupont
Note to self: Don't try to allocate
256000 pages with GFP_KERNEL on x86.
.
- Follow-Ups:
- Re: Authenticate a User.
- From: Måns Rullgård
- Re: Authenticate a User.
- References:
- Authenticate a User.
- From: hackkaush
- Re: Authenticate a User.
- From: Kasper Dupont
- Re: Authenticate a User.
- From: Lars Kellogg-Stedman
- Re: Authenticate a User.
- From: Kasper Dupont
- Re: Authenticate a User.
- From: Lars Kellogg-Stedman
- Re: Authenticate a User.
- From: hackkaush
- Re: Authenticate a User.
- From: Måns Rullgård
- Re: Authenticate a User.
- From: hackkaush
- Re: Authenticate a User.
- From: Kasper Dupont
- Re: Authenticate a User.
- From: Lars Kellogg-Stedman
- Authenticate a User.
- Prev by Date: Re: notifying change to shared memory
- Next by Date: Re: notifying change to shared memory
- Previous by thread: Re: Authenticate a User.
- Next by thread: Re: Authenticate a User.
- Index(es):
Relevant Pages
|
