Posted by David Haynes on 06/13/06 10:17

Vincent Pirez wrote:
> Hi,
>
> Has anyone managed to code anything that will verify the username and
> password of a user against the /etc/shadow file?
>
> I need to authenticate users based on their local system accounts, but
> unfortunately need to do this without recompiling PHP or Apache with custom
> modules.
>
> So far I've managed to pull all of the shadow password strings out and into
> a database, but is there any way of 'matching' the encrypted strings if you
> are given the plain text version, like with md5?
>
> Thanks in advance,
> Vince.
>
>
PHP has a function named 'crypt' that will encrypt strings in the same
way the password is encrypted into the password file. It takes a
password string and a salt string.

The encryption algorithm may vary but is typically either a two
character salt (CRYPT_STD_DES) or an MD5 salt (CRYPT_MD5). The MD5
encryptions are guaranteed to start with a '$' sign.

So, for example, let's say your shadow entry is:
web:$2$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.:13007:0:99999:7:::

This is a MD5 encrypted password.

if( crypt($password, $salt) == '$2$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.')) {
// password is correct
}

Do you really want to pull all the shadow entries into a database? Why
not read the file directly and explode() the entries? It seems to me
that you will have synchronization issues the other way.

-david-

[Back to original message]