Date: Thu, 12 Nov 1998 12:56:36 +1100 From: "John Saunders" <john.saunders@scitec.com.au> To: "Matthew R. Heusser" <matt@pcr7.pcr.com>, <freebsd-questions@FreeBSD.ORG> Subject: RE: Help! Password Compares in FreeBSD Message-ID: <006801be0ddf$ae26d080$6cb611cb@saruman.scitec.com.au> In-Reply-To: <004601be0db8$e47578c0$47eb1bcc@XSTA71.pcr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Right now, I have a HTML page running on a FreeBSD
> server. The HTML page accepts a username and password,
> and then calls a perl (CGI) process. The perl process finds
> the /etc/passwd file and parses it, searching for the username.
> When it finds the username, it grabs the encrypted password.
Do you realise that /etc/passwd doesn't actually contains
the encrypted passwords? On most Unix boxes that have a
shadow password facility the encrypted passwords are hidden
(/etc/master.passwd) unless you are root. The easiest way is
to use suidperl and to make your script suid root. Then use...
($login, $pass) = getpwnam($user);
...to locate the encrypted password.
> $stringCipher = crypt($stringGuess, $stringTemp)
> (Where $temp is the first two characters of the encrypted password)(*)
Change this to...
$stringCipher = crypt($stringGuess, $stringCryptedPassword)
If Perl calls the system crypt() function it will handle
the MD5/DES difference automagically. By passing the full
encrypted password instead of just 2 characters the crypt
function can check for $1$ itself and encrypt the guessed
password using MD5 instead of DES.
Cheers.
-- . +-------------------------------------------------------+
,--_|\ | John Saunders mailto:John.Saunders@scitec.com.au |
/ Oz \ | SCITEC LIMITED Phone +61294289563 Fax +61294289933 |
\_,--\_/ | "By the time you make ends meet, they move the ends." |
v +-------------------------------------------------------+
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006801be0ddf$ae26d080$6cb611cb>