Encrypting password

Justman · November 22, 2004, 4:39pm

I have a strange question for someone regarding the AIX 5.2 environment.

Here is the scenerio:
I have a script that is running a menu full of options.

I like food
I don't like food

Enter Option:_
Enter userID:_
Enter Password:_

(The menu is conversational only so go with me on this)

The user already has an ID on the system and is able to authenticate but I want to track the user and ensure that it is indeed that user that answered.

I need to pass the userid and passwd to the /etc/security/passwd file to ensure that it is this user.

The problem is that the passwd is encrypted. Since I can not decrypt it can I encrypt it using the DES that AIX is using and then search for the match?

Any other ideas?

Perderabo · November 22, 2004, 4:50pm

Be running not as root or the user in question. Do not prompt for the password. Instead create a test filename that does not exist.
testfilename=/tmp/testfood$$

Now invoke su to create that file:

su $user -c "touch /tmp/testfood$$"

Now test to see if the file exists and is owned by $user.

Justman · November 22, 2004, 5:13pm

By doing what you mentioned then it still defeats the purpose of ensuring that the user is authentic.? I can put any ID and test if that ID created the file.

typically, only the user should know their own password which would allow me to verify authenticity.

Neo · November 22, 2004, 5:30pm

If you build a web-based script you can use htpasswd to help authenticate the user.

Just a thought.....

[quote]

NAME
htpasswd - Create and update user authentication files

SYNOPSIS
htpasswd [ -c ] [ -m | -d | -s | -p ] passwdfile username
htpasswd -b [ -c ] [ -m | -d | -s | -p ] passwdfile username password
htpasswd -n [ -m | -d | -s | -p ] username
htpasswd -nb [ -m | -d | -s | -p ] username password

DESCRIPTION
htpasswd is used to create and update the flat-files used to store user-
names and password for basic authentication of HTTP users. If htpasswd
cannot access a file, such as not being able to write to the output file
or not being able to read the file in order to update it, it returns an
error status and makes no changes.

   Resources  available from the httpd Apache web server can be restricted to
   just the users listed in the files created by htpasswd.  This program  can
   only  manage usernames and passwords stored in a flat-file. It can encrypt
   and display password information for use in other types  of  data  stores,
   though.  To use a DBM database see dbmmanage.

   htpasswd  encrypts  passwords  using  either a version of MD5 modified for
   Apache, or the system's crypt\(\) routine.  Files managed  by  htpasswd  may
   contain  both types of passwords; some user records may have MD5-encrypted
   passwords while others in the same file may have passwords encrypted  with
   crypt\(\).

....

[/quote}

Perderabo · November 22, 2004, 6:30pm

Huh?? If a non-root user attempts to invoke su to change to another user, su will demand a password and verify it.

Justman · November 23, 2004, 9:47am

Perderabo:

I got you now, I totally over looked the su switch.

Neo, Web based is not an option for me at this time.

Thanks both of you for your time! It is greatly appreciated!

gull04 · December 16, 2004, 8:08am

Hi Justman,

I only just joined this forum, but have recently completed a similar exercise.

I have a script and a "c" program that was used to migrate users with the encrypted passwords to a P690 running AIX 5.2. With some slight modification the following should work.

Here is the code for pass.c

===============snip================
#include <stdio.h>
#include <pwd.h>
struct passwd *getpwnam();
main(int argc, char **argv)
{
char salt[3], pass[20], cpass[20];
strcpy(salt,"yM");
strcpy(pass,argv[1]);
strcpy(cpass,crypt(pass,salt));
puts(cpass);
}
================snip===============

Here is one way of using the password stuff.

================snip===============
#!/usr/bin/ksh
#############################################################################
#
# adduser.ksh #
# Description: Adds new users to the system group and sets up initial
# password.
#
# Usage: adduser.ksh < input_file
# where input_file has the format:-
# username userid groupid firstname lastname
#
# Co-Reqs: pass (generate encrypted password)
# gettime (returns seconds since epoch)
#
#############################################################################

#############################################################################
#
# must have root access to run this
#
#############################################################################

if [[ ${LOGNAME} != 'root' ]]
then
print "You must be root to run this"
exit 1;
fi

#############################################################################
#
# define location of binaries
#
#############################################################################

BINDIR=/home/davem/bin

#############################################################################
#
# Make a copy of the user security files to regress the changes made by
# this script all that is required is to copy the files back from the .orig
# versions.
#
#############################################################################

cp /etc/passwd /etc/passwd.orig
cp /etc/security/passwd /etc/security/passwd.orig
cp /etc/group /etc/group.orig

#############################################################################
#
# Start processing the users to be created, echo each to the screen.
#
#############################################################################

read user id group fullname
while [ "$user" != "" ];do
print "User: $user\t\tid: $id\t\tGroup: $group\t\tName: $fullname"
mkuser id=$id pgrp=$group groups=$group,staff,system gecos="$fullname" $user
cat /etc/passwd | sed "/^$user:/s/:\*:/:\!:/" > /etc/passwd.new
mv /etc/passwd.new /etc/passwd
if [ `cat /etc/security/passwd | grep -c "^$user:"` != "1" ];then
print "\n$user:" >> /etc/security/passwd
print "\tpassword = "`$BINDIR/pass CH4ng3me` >> /etc/security/passwd
print "\tlastupdate = "`$BINDIR/gettime` >> /etc/security/passwd
print "\tflags = ADMCHG" >> /etc/security/passwd
fi
read user id group fullname
done

chown root /etc/passwd
chgrp security /etc/passwd
chmod 664 /etc/passwd

exit 0;

==================snip====================

With a little modification it should be possible to do what you require with the pass program.

Rgds

Dave