Date: Wed, 11 Nov 1998 16:14:07 -0500 From: "Matthew R. Heusser" <matt@pcr7.pcr.com> To: <freebsd-questions@FreeBSD.ORG> Subject: Help! Password Compares in FreeBSD Message-ID: <004601be0db8$e47578c0$47eb1bcc@XSTA71.pcr.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_002A_01BE0D8E.4EE4FEE0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello!
This is a question about validating passwords over
the web via CGI, but I think any FreeBSD systems=20
expert should be able to figure it out w/o knowing
perl or CGI. Here goes ...
Right now, I have a HTML page running on a FreeBSD
server. The HTML page accepts a username and password,
and then calls a perl (CGI) process. The perl process finds
the /etc/passwd file and parses it, searching for the username.
When it finds the username, it grabs the encrypted password.
It then takes the 'guess' password, and crypts it as follows -
$stringCipher =3D crypt($stringGuess, $stringTemp)=20
(Where $temp is the first two characters of the encrypted password)(*)
Then the following is executed: (psuedo code)
If stringCipher equals stringCryptedPassword=20
do_stuff
else
error_message
The code works fine under AIX, but bombs under FreeBSD.
(*) - The crypt-style is MD5, so I'm not sure If I should grab the =
first
two characters of the encrypted password, as they all start "$1$"
-- I got the idea from "Programming Perl" under "Crypt", pas 153. I've
searched through "Perl CGI Programming", "Learning Perl", "An intro
to Berkley Unix", "Unix Admin. Guide for System V", as well as
CGI FAQ, CGI-Security FAQ, and FreeBSD on-line docs. My conclusion
is that the problem is OS or crypt-library specific (since if works on =
AIX)
any ideas? if you could respond by e-mail (matt@pcr7.pcr.com) that=20
would be greatly appreciated.
thanks,
=20
/*---------------------------------------------------------------------*/=
Matthew R. Heusser, PCR Inc.
E-mail: <Matt@pcr7.pcr.com> =20
Phone: (616)-554-1036 =20
/*---------------------------------------------------------------------*/=
------=_NextPart_000_002A_01BE0D8E.4EE4FEE0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#000000 size=3D2>Hello!</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=3D#000000 size=3D2>This is a question about validating =
passwords=20
over</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT><FONT size=3D2>the web via =
CGI, but I think=20
any FreeBSD systems </FONT></DIV>
<DIV><FONT size=3D2>expert should be able to figure it out w/o=20
knowing</FONT></DIV>
<DIV><FONT size=3D2>perl or CGI. Here goes ...</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>Right now, I have a HTML page running on a=20
FreeBSD</FONT></DIV>
<DIV><FONT size=3D2>server. The HTML page accepts a username and=20
password,</FONT></DIV>
<DIV><FONT size=3D2>and then calls a perl (CGI) process. The perl =
process=20
finds</FONT></DIV>
<DIV><FONT size=3D2>the /etc/passwd file and parses it, searching for =
the=20
username.</FONT></DIV>
<DIV><FONT size=3D2>When it finds the username, it grabs the encrypted=20
password.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=3D#000000 size=3D2>It then takes the 'guess' password, =
and crypts=20
it as follows -</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>$stringCipher =3D crypt($stringGuess, $stringTemp) =
</FONT></DIV>
<DIV><FONT size=3D2> (Where $temp is the first two characters of =
the=20
encrypted password)(*)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=3D#000000 size=3D2>Then the following is executed: =
(psuedo=20
code)</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2> If stringCipher equals=20
stringCryptedPassword </FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2> =
do_stuff</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2> else</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2> =20
error_message</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2> The code works fine under AIX, =
but bombs=20
under FreeBSD.</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT><FONT size=3D2> (*) - =
The crypt-style=20
is MD5, so I'm not sure If I should grab the first</FONT></DIV>
<DIV><FONT size=3D2> two characters of the encrypted password, as =
they all=20
start "$1$"</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=3D#000000 size=3D2> -- I got the idea from =
"Programming=20
Perl" under "Crypt", pas 153. I've</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT><FONT size=3D2>searched =
through "Perl=20
CGI Programming", "Learning Perl", "An =
intro</FONT></DIV>
<DIV><FONT size=3D2>to Berkley Unix", "Unix Admin. Guide =
for=20
System V", as well as</FONT></DIV>
<DIV><FONT size=3D2>CGI FAQ, CGI-Security FAQ, and FreeBSD on-line =
docs. My=20
conclusion</FONT></DIV>
<DIV><FONT size=3D2>is that the problem is OS or crypt-library specific =
(since if=20
works on AIX)</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2> any ideas? if you could respond =
by e-mail=20
(<A href=3D"mailto:matt@pcr7.pcr.com">matt@pcr7.pcr.com</A>) that =
</FONT></DIV>
<DIV><FONT size=3D2>would be greatly appreciated.</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>thanks,</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT><FONT size=3D2> =
</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000=20
size=3D2>/*--------------------------------------------------------------=
-------*/<BR>Matthew=20
R. Heusser, PCR Inc.<BR>E-mail: <<A=20
href=3D"mailto:Matt@pcr7.pcr.com">Matt@pcr7.pcr.com</A>> &n=
bsp; =20
<BR>Phone: (616)-554-1036 =20
<BR>/*-------------------------------------------------------------------=
--*/</FONT></DIV></BODY></HTML>
------=_NextPart_000_002A_01BE0D8E.4EE4FEE0--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004601be0db8$e47578c0$47eb1bcc>