how to validate users password in /etc/shadow inputed from web

robintiwari has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: how to validate users password in /etc/shadow inputed from web by Zaxo (Archbishop) on Aug 21, 2005 at 04:51 UTC
Spiritway is correct about basic procedure. You need to call getpwnam as root to get the shadow entry for the password hash. I hope you aren't trying to implement a design which hands out shell accounts to self-identified web users. If you are, shoot the designer. The http server has sufficient authentication support for site membership without involving host accounts. After Compline, Zaxo	[reply]
Re: how to validate users password in /etc/shadow inputed from web by spiritway (Vicar) on Aug 21, 2005 at 04:42 UTC
I suggest that you use the same encryption algorithm used to encrypt the password. When the user enters his password, encrypt it and compare to whatever's in /etc/shadow. This assumes you'll have read rights to /etc/shadow. In general, there is no feasible way to decrypt passwords, which is the whole idea behind encrypting them.	[reply]
Re: how to validate users password in /etc/shadow inputed from web by zshzn (Hermit) on Aug 21, 2005 at 04:48 UTC
I would suggest you find a different form of authentation. Among other problems, you would be running your webserver or application with higher privileges to access /etc/shadow. If you must allow access as determined by system accounts, perhaps consider spawning a copy of /etc/shadow first.	[reply]