Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Comparing current password with one generated through Crypt::PasswdMD5

by c (Hermit)
on Oct 11, 2001 at 23:56 UTC ( [id://118326]=perlquestion: print w/replies, xml ) Need Help??

c has asked for the wisdom of the Perl Monks concerning the following question:

i am just now toying with using crypt::passwdmd5 and linux::passwd to create a script allowing users to change their existing passwords. however, i am trying to put some checking into the script to verify their existing password before accepting the new phrase.
i have the following:

if ($info[1] ne unix_md5_crypt($current, $salt)) { print "\nThe password you entered does not match your current passph +rase!\n\n"; exit; }

now $info[1] is the value of the user's current encrypted password taken from /etc/shadow and $current is the chomp'd input from STDIN that the user provided for his/her current password.
i've added

print "$info[1]\n"; print unix_md5_crypt($current, $salt);

and sure enough the return from the crypt::passwdmd5 is shorter than the passphrase generated by the system (RH 7.1)
any suggestions on keys that i may have missed?

humbly -c

Replies are listed 'Best First'.
Re: Comparing current password with one generated through Crypt::PasswdMD5
by wog (Curate) on Oct 12, 2001 at 00:29 UTC
    I would suggest not using Crypt::PasswdMD5, but instead using Authen::PAM, a module which allows you to avoid worrying about exactly how and where passwords are stored and makes customization in how passwords are authenticated easier. It may also avoid the need for your program to be setuid. The only disadvantage is that there are probably some systems without PAM, where this would not be an option, but in my experience most UNIX systems have it.

    (update: no_slogan tells me that Slackware does not have PAM, for some reason.)

Re: Comparing current password with one generated through Crypt::PasswdMD5
by no_slogan (Deacon) on Oct 12, 2001 at 00:16 UTC
    What are you using for $salt? MD5 passwords seem to use a much longer salt than traditional crypt() passwords.
    > perl -e 'print crypt("foobaz", q[$1$1234567890$]), "\n"' $1$12345678$ykZ52jdThSTvvsWlFFrxg0
    Update: It's probably better to let crypt extract the salt rather than trying to do it yourself. Just use
    crypt($current, $info[1])

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://118326]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others wandering the Monastery: (3)
As of 2024-03-28 18:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found