Matching encrypted passwords

perlmoi has asked for the wisdom of the Perl Monks concerning the following question:

Greetings Monks,

Hopefully someone with a bit more robe ruffling experience than I can weigh in here...

I'm trying to match encrypted passwords in /etc/shadow (edit: actually stored in a DB, encrypted passwords only) with those programatically generated using Crypt::Password, but I must be missing something (eg, what salt is used in Linux when the password command is used to set/change the password. edit: I started scanning the passwd(1) source to get a clue, but started to feel nauseous either from the code, or from christmas chow, not sure which)

eg, given the following /etc/shadow entry (user 'bob', password 'abc'):

bob:$1$Wl2RANfv$M9PjezS//sUMDRnhhO5vR1:16065::::::
[download]

I now to try to replicate that password using this code ($1 implies MD5):

use Crypt::Password;

print password("abc", "bo", "md5") . "\n";
[download]

Which yields:

$1$bo$e/EvseYfe8hj3LasblgjX.
[download]

...Obviously not a match

Am I on the right track here? Is this a case of not using the same salt string?

FYI, I need this to authenticate users which are being migrated from an /old/ server to a new one, and we only have the encrypted passwords, so I need to authenticate them with new proposed systems...

I'd appreciate pointers in what I'm doing wrong here. Thanks a mill.

---------------------------

Documenting answer: Abbot ambrus on chatterbox says pass the entire encrypted string as salt (lib will know how to parse it):

use Crypt::Password;

print password("abc", '$1$Wl2RANfv$M9PjezS//sUMDRnhhO5vR1', "md5") . "
+\n";
[download]

thanks!!

Comment on Matching encrypted passwords Select or Download Code

Replies are listed 'Best First'.
Re: Matching encrypted passwords by zentara (Cardinal) on Dec 26, 2013 at 19:04 UTC
Just for anyone who didn't get the idea, here are some old notes, showing how to get the salt values between the $$. It's different for DES, md5sum, sha1sum, and higher variants. #!/usr/bin/perl use Crypt::PasswdMD5; #The secret to getting crypt to work correctly is in providing #a salt starting with '$1$' and having 8 characters #(instead of the normal 2 used for DES-crypt). #There are similar conventions for using other crypt variants #(e.g. '$2$' for SHA-crypt). my $passwd = 'whoopdeedoo'; my $salt = '$1$qwertyuz'; print "md5crypt salt= $salt \n"; print "-------------------------------------\n"; my $crypted = unix_md5_crypt $passwd, $salt; print "$crypted\n"; my $crypted = crypt $passwd, $salt; #crypt works as well print "$crypted\n"; print crypt ($passwd, $salt), "\n"; ###################################################################### print "#################################################\n"; print "des crypt salt= xy \n"; my $passwd = 'whoopdedoo'; my $salt = 'xy'; print "-------------------------------------\n"; my $crypted = crypt $passwd, $salt; print "$crypted\n"; print crypt ($passwd, $salt), "\n"; #Note that the MD5-based crypt() is not the same as #obtaining the hash of your password with Digest::MD5 or similar. #The algorythm used internally by the MD5-based crypt() uses a #number of transformations in which the MD5 algorythm is used, #but is very different. #Crypt::PasswdMD5 implements this algorythm in Perl, #allowing you to reproduce the result of said crypt() functions #in non-*nix systems or systems without a compatible crypt() #implementation. [download] I'm not really a human, but I play one on earth. Old Perl Programmer Haiku ................... flash japh	[reply] [d/l]
Re: Matching encrypted passwords by ysth (Canon) on Dec 26, 2013 at 19:16 UTC
Don't pass the algorithm either, since that will also be parsed; if you pass one it is ignored. (Well, actually it tries to validate it but then ignores the validation failure in case it's an algorithm the module doesn't know about, and then later ignores it anyway since you specified a salt.) `use Crypt::Password 'password'; my $password = 'abc'; my $crypt = '$1$Wl2RANfv$M9PjezS//sUMDRnhhO5vR1'; print "Password matches\n" if password( $password, $crypt ) eq $crypt;` [download] -- A math joke: r = \| \|csc(θ)\|+\|sec(θ)\| \|-\| \|csc(θ)\|-\|sec(θ)\| \|	[reply] [d/l]