Posted by David Haynes on 06/13/06 19:01

Vincent Pirez wrote:
> "David Haynes" <david.haynes2@sympatico.ca> wrote in message
> news:2hwjg.28139$IQ3.12051@fe06.usenetserver.com...
>> PHP has a function named 'crypt' that will encrypt strings in the same way
>> the password is encrypted into the password file. It takes a password
>> string and a salt string.
>>
>> The encryption algorithm may vary but is typically either a two character
>> salt (CRYPT_STD_DES) or an MD5 salt (CRYPT_MD5). The MD5 encryptions are
>> guaranteed to start with a '$' sign.
>>
>> So, for example, let's say your shadow entry is:
>> web:$2$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.:13007:0:99999:7:::
>>
>> This is a MD5 encrypted password.
>>
>> if( crypt($password, $salt) == '$2$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.')) {
>> // password is correct
>> }
>>
>> Do you really want to pull all the shadow entries into a database? Why not
>> read the file directly and explode() the entries? It seems to me that you
>> will have synchronization issues the other way.
>>
>> -david-
>
> Hi David,
>
> Thanks for the great response. But how do I determine the matching salt?
>
> Thanks,
> Vince.
>
>
The short answer is that the salt of the encrypted password in the
shadow file is used.

A sample program:
<?php
$shadow_pw = '$1$Hlpmlp9i$5VnapGyOuIzJFkPcrvE7a.';
$my_pw = array('foofoofoo', 'letmein');

foreach( $my_pw as $pw ) {
if( crypt($pw, $shadow_pw) == $shadow_pw ) {
echo "The password $pw is good\n");
} else {
echo "The password $pw is bad\n");
}
}
?>

-david-

[Back to original message]