Hi there,
There's something I don't understand. The same string does not give the same md5 hash everytime. I wanted to find a way to check someone's password but the following script obviously shows that it's not possible that way :
UNIX passwords contain a "salt" in order to create (a bit of) randomness and make them less guessable. To generate a password you usually call the crypt(3) routine with an empty salt. To check a password, you pass the hashed password as the salt to crypt(3), which extracts the salt originally used and uses this to create the other hashed password. If both hashes match, you've got the correct password.
pludi is correct, determining MD5 salt could be based on several things, timestamp that the user was created, last password change, you name it. Determining password is a pain in the butt, you could get some crack utilities like John the Ripper. But if you are the sysadmin of the box, reset the password, or force a password change for the end user.
Being security conscious I don't want a file laying around with passwords in an unencrypted format.. Get a trojan horse have that file stolen and kiss your career goodbye.
Hi pludi,
It took me a while to understand your "chinese". Sorry, I'm not a real pro.
Hi rmuledeer and thanks for your help as well.
Actually, the salt must only be part of the hashed password. The following shows that without salt, the hash is "random" but if you provide a specific one, you get the same hash.
So far, so good. The problem is that I'm trying to create a web interface to allow users to change their password. Why?
1) They don't know what unix is and would not be able to change it through the shell (they don't even have access to it).
2) But they use several services that rely on their unix account
It's a small group of people that I know and they just tell me their password but I'd like this to be more confidential.
So I have my script that checks a password before changing it. But it must be executed as root and the web page is www-data. Any idea to work around this?
1) Let www-data store the form (username, oldpassword, newpassword) in a file and run a cron every minute so root can apply the changes (dumb eh!)
Problem1: The password lays uncrypted during 30 seconds.
Problem2: I cannot warn the user if he has entered an incorrect oldpassword.
2) Give www-data superpowers (dumber?)