tags:

views:

76

answers:

4

I'm trying to compare shadow password with php cli but not work ! i use this function so i can create password like shadow

function shadow ($input){
    for ($n = 0; $n < 9; $n++){
        $s .= chr(rand(64,126));
    }
    $seed =  "$1$".$s."$";
    $return = crypt($input,$seed);
    return $return;
}

when i replace the result in shadow it's work with the password but it's have different character how i can compare it .

thanks

A: 

I am not quite sure I understand what you are asking -- do you have problems getting the password out of the shadow file, using php?

Konrad Neuwirth
Konrad - this is a comment/question, not an answer. You should put it in the comment section under the question.
Duck
thank you for replyi want check root password with php cli
normand
It looks like he wants to brute-force/guess the password by comparing the hashes.
Heinzi
+2  A: 

Your function creates a random salt (variable seed) using the php rand function. Thus, your salt will be different than the salt used by the existing password in the shadow file.

If you want to compare hashes (i.e. compare the output of your crypt call with the value in shadow), both hashes need to be created with the same salt. Thus, you need to use the salt from the existing password in the shadow file (= the $1$...$ part) instead of creating your own randomly.

In other words, drop your function and just use crypt($input, '$1$...$') instead, with $1$...$ being the first part of the hash in /etc/shadow.

Heinzi
A: 

It might also be worth looking into the PAM pecl extension instead of fiddling with /etc/shadow.

This extension provides PAM (Pluggable Authentication Modules) integration. PAM is a system of libraries that handle the authentication tasks of applications and services. The library provides a stable API for applications to defer to for authentication tasks.
VolkerK
A: 

Use the salt stored in the password file:

 $crypted=crypt($_POST['password'], $stored_password);
 if ($crypted==$stored_password) ( // they match

Note that you don't have to explicity extract the salt from the stored password, nor worry about the algorithm/salt size - crypt does that for you.

C.

symcbean