getpwnam with md5 encrypted passwds
Hi, i am trying to validate a given user password against my local passwd-file with this piece of code : if (!( pwd = getpwnam ( user ))) { log(ERROR,"User %s not known",user); stat=NOUSER; } if (!strcmp( crypt(pass,pwd->pw_name), pwd->pw_passwd) ) { log(DEBUG|MISC,"HURRAY : %s authenticated\n", user); stat = AUTHED; } The problem is, that my passwords are encrypted in md5-format, so the strcmp fails always. Now i did not find any usable information on how to work this out on FreeBSD, and how to be independent from the settings in the login-conf ? (that i dont have to check whether its using crypt,md5 or blowfish) The code should be running on 4.x and 5.x Any ideas ? Kind regards Kai ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: getpwnam with md5 encrypted passwds
Zitat von Q <[EMAIL PROTECTED]>: This was a stupid mistake ! Thanks > Change your crypt line to: > > if (!strcmp( crypt(pass,pwd->pw_passwd), pwd->pw_passwd) ) { > > Seeya...Q > > On Wed, 2003-11-26 at 11:30, [EMAIL PROTECTED] wrote: > > > Hi, > > > > i am trying to validate a given user password against my local passwd-file > with > > this piece of code : > > > > if (!( pwd = getpwnam ( user ))) { > > log(ERROR,"User %s not known",user); > > stat=NOUSER; > > } > > if (!strcmp( crypt(pass,pwd->pw_name), pwd->pw_passwd) ) { > > log(DEBUG|MISC,"HURRAY : %s authenticated\n", user); > > stat = AUTHED; > > } > > > > The problem is, that my passwords are encrypted in md5-format, so the > strcmp > > fails always. Now i did not find any usable information on how to work this > out > > on FreeBSD, and how to be independent from the settings in the login-conf ? > > > (that i dont have to check whether its using crypt,md5 or blowfish) > > > > The code should be running on 4.x and 5.x > > > > Any ideas ? > > > > Kind regards > > > > Kai > > ___ > > [EMAIL PROTECTED] mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: getpwnam with md5 encrypted passwds
"[EMAIL PROTECTED]" wrote: > i am trying to validate a given user password against my local passwd-file with > this piece of code : > > if (!( pwd = getpwnam ( user ))) { > log(ERROR,"User %s not known",user); > stat=NOUSER; > } > if (!strcmp( crypt(pass,pwd->pw_name), pwd->pw_passwd) ) { > log(DEBUG|MISC,"HURRAY : %s authenticated\n", user); > stat = AUTHED; > } I know you have the fix for the crypt of the wrong field, but the proper thing to do is probably to use pan_authenticate() so that you are insensitive to the athentication method being used, rather than crypting and comparing it yourself. -- Terry ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
AW: getpwnam with md5 encrypted passwds
> -Ursprüngliche Nachricht- > Von: Terry Lambert [mailto:[EMAIL PROTECTED] > Gesendet: Mittwoch, 26. November 2003 13:34 > An: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Betreff: Re: getpwnam with md5 encrypted passwds > > "[EMAIL PROTECTED]" wrote: > > i am trying to validate a given user password against my local passwd- > file with > > this piece of code : > > > > if (!( pwd = getpwnam ( user ))) { > > log(ERROR,"User %s not known",user); > > stat=NOUSER; > > } > > if (!strcmp( crypt(pass,pwd->pw_name), pwd->pw_passwd) ) { > > log(DEBUG|MISC,"HURRAY : %s authenticated\n", user); > > stat = AUTHED; > > } > > I know you have the fix for the crypt of the wrong field, but the > proper thing to do is probably to use pan_authenticate() so that > you are insensitive to the athentication method being used, rather > than crypting and comparing it yourself. > Looks interesting ... is this method also usable, when i dropped my privs ? cheers ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: getpwnam with md5 encrypted passwds
On Wed, Nov 26, 2003 at 02:21:04PM +0100, Kai Mosebach wrote: > > -Urspr?ngliche Nachricht- > > Von: Terry Lambert [mailto:[EMAIL PROTECTED] > > Gesendet: Mittwoch, 26. November 2003 13:34 > > An: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Betreff: Re: getpwnam with md5 encrypted passwds > > > > "[EMAIL PROTECTED]" wrote: > > > i am trying to validate a given user password against my local passwd- > > file with > > > this piece of code : > > > > > > if (!( pwd = getpwnam ( user ))) { > > > log(ERROR,"User %s not known",user); > > > stat=NOUSER; > > > } > > > if (!strcmp( crypt(pass,pwd->pw_name), pwd->pw_passwd) ) { > > > log(DEBUG|MISC,"HURRAY : %s authenticated\n", user); > > > stat = AUTHED; > > > } > > > > I know you have the fix for the crypt of the wrong field, but the > > proper thing to do is probably to use pan_authenticate() so that > > you are insensitive to the athentication method being used, rather > > than crypting and comparing it yourself. > > > > Looks interesting ... is this method also usable, when i dropped my privs ? I think Terry meant pam_authenticate() (not pan), but to answer your question: no, when you drop your privileges, you do not have access to at least the system's password database (/etc/spwd.db, generated from /etc/passwd and /etc/master.passwd by pwd_mkdb(8)). If this will be any consolation, getpwnam() won't return a password field when you have dropped root privileges either. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence contains exactly threee erors. pgp0.pgp Description: PGP signature
Re: getpwnam with md5 encrypted passwds
[EMAIL PROTECTED] wrote: Hi, i am trying to validate a given user password against my local passwd-file with this piece of code : if (!strcmp( crypt(pass,pwd->pw_name), pwd->pw_passwd) ) { The second argument to crypt here should be pwd->pw_passwd. Otherwise, this doesn't work even with DES-encrypted passwords. The first part of any encrypted password is the 'salt', which effectively indicates how that password is encrypted. You need to give the encrypted password to crypt so it knows which encryption to use for the plaintext. Tim Kientzle ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: getpwnam with md5 encrypted passwds
On Wed, Nov 26, 2003 at 12:01:01PM -0800, [EMAIL PROTECTED] wrote: > Date: Wed, 26 Nov 2003 16:05:30 +0200 > From: Peter Pentchev <[EMAIL PROTECTED]> > Subject: Re: getpwnam with md5 encrypted passwds > To: Kai Mosebach <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="windows-1251" > > On Wed, Nov 26, 2003 at 02:21:04PM +0100, Kai Mosebach wrote: > > > -Urspr?ngliche Nachricht- > > > Von: Terry Lambert [mailto:[EMAIL PROTECTED] > > > Gesendet: Mittwoch, 26. November 2003 13:34 > > > An: [EMAIL PROTECTED] > > > Cc: [EMAIL PROTECTED] > > > Betreff: Re: getpwnam with md5 encrypted passwds > > > > > > "[EMAIL PROTECTED]" wrote: > > > > i am trying to validate a given user password against my local passwd- > > > file with > > > > this piece of code : ... > > > I know you have the fix for the crypt of the wrong field, but the > > > proper thing to do is probably to use pan_authenticate() so that > > > you are insensitive to the athentication method being used, rather > > > than crypting and comparing it yourself. > > > > Looks interesting ... is this method also usable, when i dropped my privs ? > > I think Terry meant pam_authenticate() (not pan), but to answer your > question: no, when you drop your privileges, you do not have access to > at least the system's password database (/etc/spwd.db, generated from > /etc/passwd and /etc/master.passwd by pwd_mkdb(8)). If this will be any > consolation, getpwnam() won't return a password field when you have > dropped root privileges either. If you will need to do authentication after your program drops privileges, your best course is probably to go through PAM, to install a separate daemon which implements a PAM-supported protocol and which runs with privileges, and then to enable that protocol as a PAM authentication method for your application. For example, you can install a RADIUS server bound to localhost which runs as root and authenticates against the master password file. Configure the necessary /etc files for pam_radius as described in its man pages, and then add "pam_radius" as an authentication method in /etc/pam.conf for your application. Now you do need to make your application go through the PITA required to be a PAM client, but it can at least authenticate without needing root privileges itself. I implemented this pretty recently, so I know the approach works, even if it may seem rather roundabout. (LDAP would be another PAM-supported option, but RADIUS seemed simpler to set up in a hurry.) -- Clifton -- Clifton Royston -- [EMAIL PROTECTED] Tiki Technologies Lead Programmer/Software Architect Did you ever fly a kite in bed? Did you ever walk with ten cats on your head? Did you ever milk this kind of cow? Well we can do it. We know how. If you never did, you should. These things are fun, and fun is good. -- Dr. Seuss ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: getpwnam with md5 encrypted passwds
Clifton Royston wrote: > If you will need to do authentication after your program drops > privileges, your best course is probably to go through PAM, to install > a separate daemon which implements a PAM-supported protocol and which > runs with privileges, and then to enable that protocol as a PAM > authentication method for your application. [ ... RADIUS example with LDAP mention ... ] Sounds like a good approach, though I'll point out that had you tried LDP, you would have been hard-put to use LDAP as a proxy protocol to another authentication base (a PAM backend for an LDAP server, while not quite impossible, would be very hard). How did you avoid the recursion problem of the RADIUS server trying to authenticate via pam_radius to the RADIUS server tyring to authenticate ... -- Terry? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: getpwnam with md5 encrypted passwds
Peter Pentchev wrote: > On Wed, Nov 26, 2003 at 02:21:04PM +0100, Kai Mosebach wrote: > > Looks interesting ... is this method also usable, when i dropped my privs ? > > I think Terry meant pam_authenticate() (not pan), but to answer your > question: no, when you drop your privileges, you do not have access to > at least the system's password database (/etc/spwd.db, generated from > /etc/passwd and /etc/master.passwd by pwd_mkdb(8)). If this will be any > consolation, getpwnam() won't return a password field when you have > dropped root privileges either. Peter is correct on both counts. If I had not sen his reply first, I would have made the same reply. You cannot crypt something you cannot read. -- Terry ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: getpwnam with md5 encrypted passwds
On Wed, Nov 26, 2003 at 11:10:01PM -0800, Terry Lambert wrote: > Clifton Royston wrote: > > If you will need to do authentication after your program drops > > privileges, your best course is probably to go through PAM, to install > > a separate daemon which implements a PAM-supported protocol and which > > runs with privileges, and then to enable that protocol as a PAM > > authentication method for your application. > > [ ... RADIUS example with LDAP mention ... ] > > Sounds like a good approach, though I'll point out that had > you tried LDP, you would have been hard-put to use LDAP as a > proxy protocol to another authentication base (a PAM backend > for an LDAP server, while not quite impossible, would be very > hard). Glad I went with my gut feeling rather than wasting a lot of time looking into it then... > How did you avoid the recursion problem of the RADIUS server > trying to authenticate via pam_radius to the RADIUS server > tyring to authenticate ... That is avoided two ways, either of which would do to prevent the deadly recursion. First the RADIUS server (FreeRadius) is currently set up to implement "Unix auth" directly against spwd.db, not via PAM. Second, it's not enabled as the default PAM authentication method for all applications, only for some specific application tokens. We have an intention to add to the application auth against some separate non-password db files, followed by OTP support down the road. Hopefully as it uses PAM both should now be relatively easy. -- Clifton -- Clifton Royston -- [EMAIL PROTECTED] Tiki Technologies Lead Programmer/Software Architect Did you ever fly a kite in bed? Did you ever walk with ten cats on your head? Did you ever milk this kind of cow? Well we can do it. We know how. If you never did, you should. These things are fun, and fun is good. -- Dr. Seuss ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"