Comparing current password with one generated through Crypt::PasswdMD5

c has asked for the wisdom of the Perl Monks concerning the following question:

i am just now toying with using crypt::passwdmd5 and linux::passwd to create a script allowing users to change their existing passwords. however, i am trying to put some checking into the script to verify their existing password before accepting the new phrase.
i have the following:

if ($info[1] ne unix_md5_crypt($current, $salt)) {
  print "\nThe password you entered does not match your current passph
+rase!\n\n";
  exit;
}
[download]

now $info[1] is the value of the user's current encrypted password taken from /etc/shadow and $current is the chomp'd input from STDIN that the user provided for his/her current password.
i've added

print "$info[1]\n";
print unix_md5_crypt($current, $salt);
[download]

and sure enough the return from the crypt::passwdmd5 is shorter than the passphrase generated by the system (RH 7.1)
any suggestions on keys that i may have missed?

humbly -c

Comment on Comparing current password with one generated through Crypt::PasswdMD5 Select or Download Code

Replies are listed 'Best First'.
Re: Comparing current password with one generated through Crypt::PasswdMD5 by wog (Curate) on Oct 12, 2001 at 00:29 UTC
I would suggest not using Crypt::PasswdMD5, but instead using Authen::PAM, a module which allows you to avoid worrying about exactly how and where passwords are stored and makes customization in how passwords are authenticated easier. It may also avoid the need for your program to be setuid. The only disadvantage is that there are probably some systems without PAM, where this would not be an option, but in my experience most UNIX systems have it. (update: no_slogan tells me that Slackware does not have PAM, for some reason.)	[reply]
Re: Comparing current password with one generated through Crypt::PasswdMD5 by no_slogan (Deacon) on Oct 12, 2001 at 00:16 UTC
What are you using for $salt? MD5 passwords seem to use a much longer salt than traditional crypt() passwords. `> perl -e 'print crypt("foobaz", q[$1$1234567890$]), "\n"' $1$12345678$ykZ52jdThSTvvsWlFFrxg0` [download] Update: It's probably better to let crypt extract the salt rather than trying to do it yourself. Just use `crypt($current, $info[1])` [download]	[reply] [d/l] [select]