From owner-freebsd-questions@freebsd.org Sun Aug 16 11:13:45 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 44C133B8687 for ; Sun, 16 Aug 2020 11:13:45 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BTvgX27jCz4DcT for ; Sun, 16 Aug 2020 11:13:43 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from venus.yoonka.com (venus.yoonka.com [10.70.7.24]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id 07GBDgPJ083443 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 16 Aug 2020 11:13:42 GMT (envelope-from list1@gjunka.com) Subject: Re: Verify user password To: Polytropon Cc: freebsd-questions@freebsd.org References: <20200815204911.7007deca.freebsd@edvax.de> From: Grzegorz Junka Message-ID: <6d41a8e6-40a0-26d5-b7b9-b8adabd904d4@gjunka.com> Date: Sun, 16 Aug 2020 11:13:42 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: <20200815204911.7007deca.freebsd@edvax.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1597576424; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7yWaeaxfmHr62ChClN3SycbJs0tmT0pCbTvb5Z6RS48=; b=L7U9nihms6S6t3qesLSN6I1dYlO60IPWPZhNPZDUcuzkRIm5haMRAIWSXU93rSuHQHh93I 4/XrkVCn91W4rNxtpVRF29FuI6CsATpCZUnb8krE0VPD9pVCiV99cINWs4TVEbvd/3hAf8 bKA8uG5WENB3E3mvEA7m6bL8WEpjBXZRv/nUUB7gUwjQ24b2gQMPXiZkPl0JpXHfgqFBMd peehXaVfEkG4WVyhFJD0Q/uL88ohycFpJzJzUsOpiUW+gaFDL+umwKNmM6DFItyGmbe/iq 235rzRI//zRVlASdWTYz1ThdZ6CDNqjRBxmizfvu9nrFMDqqzUd9/+PZ5FQhQw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1597576424; a=rsa-sha256; cv=none; b=QzxeamnSZNkh+eyi+z8aVT6Jylw94mJrEE8+PmFq8qVH9s5Re+8OaExjLzuigVhFNcoli9 HgKTI3OqC2nnAfZdLYWHGN8QvOo5zGsJEEgMKu82rsZhT1j4xZJOH+k7zYrdZQcAy97y/M yxMCGYzMNpsNRRRJxTQ5PARn9UPko3HuoZq0D6nqr/OVmn3uhSrYED3Nrp12EE/QDOefKf isChTujAyYr5M2kC7nEVqoxSdJvGcVunLu18XI1gpenmGHOgezcJiBRUjrc3bMKp3U0LcS KRKH3sxN3xJuiFL0wiiAkpJZsJ+Z2Fn5zizGGTHTYl3ltvyjswy9i4oekd+i7w== ARC-Authentication-Results: i=1; mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of list1@gjunka.com designates 88.98.225.149 as permitted sender) smtp.mailfrom=list1@gjunka.com X-Rspamd-Queue-Id: 4BTvgX27jCz4DcT X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of list1@gjunka.com designates 88.98.225.149 as permitted sender) smtp.mailfrom=list1@gjunka.com X-Spamd-Result: default: False [-2.70 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:88.98.225.149]; NEURAL_HAM_LONG(-1.00)[-0.996]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[gjunka.com]; ARC_SIGNED(0.00)[i=1]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.48)[-0.480]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_MEDIUM(-0.93)[-0.926]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:56478, ipnet:88.98.192.0/18, country:GB]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Aug 2020 11:13:45 -0000 On 15/08/2020 18:49, Polytropon wrote: > On Sat, 15 Aug 2020 12:39:06 +0000, Grzegorz Junka wrote: >> How can I verify if a given password matches the password stored in >> master.passwd database for a user account that is set up with >> /nonexistent and /usr/sbin/nologin (so a user that can't normally login >> to the system but still can have a password stored in the database)? > First of all, /nonexistent and /usr/sbin/nologin have different > purposes: if after a successful login the user's interactive shell > is to be executed, /nonexistent leads to a "cannot find that program > to execute, exiting right now" situation, while /usr/sbin/nologin > can actually be executed and then displays an error message and > exits, terminating the session. > > See "man 1 login" and "man 1 nologin" for details. > > Regarding password verification: > > If you have read access to /etc/master.passwd and the clear text > password of a user, you can use the crypt() function to generate > the encrypted password, and then compare that. I think that is > what you try to do, correct? > > provided: plain-text password P from somewhere > encrypted password E from /etc/master.passwd > > intended: is crypt(P) == E? > > approach: P' = crypt(P) > test if P' == S > > This is of course very simplified. :-) > > See "man 5 passwd" and especially "man 3 crypt" for details. > Yes, the intention is that the user only has an entry in the master.passwd file (so that sendmail service can verify the password against an entry there). It should not be possible for the user to login (meaning, they should not be able to open an interactive session as that user). I did found some manuals that explain how to generate the password, especially when using different hashing than the default one and store such password in the master.passwd. That could work, I just hoped that there is a command line utility that is able to verify the password in the same way the system or any service would do without the trickery of fetching the password from master.passwd, verifying the encryption scheme, encrypting the password with the same scheme, then finally testing if they are the same. Thanks Grzegorz