Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Login application

1 view
Skip to first unread message

Otto Wyss

unread,
May 26, 2004, 4:28:29 PM5/26/04
to
I'm writing my own login application and have figured out how to
retrieve the current login (getlogin) or the password file (getpwent)
but I haven't found well the rest. ;-) Could anyone give me some hints
for names I can look up?

O. Wyss

--
See a huge pile of work at " http://wyodesktop.sourceforge.net/"

Lew Pitcher

unread,
May 26, 2004, 9:05:39 PM5/26/04
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Otto Wyss wrote:
| I'm writing my own login application and have figured out how to
| retrieve the current login (getlogin) or the password file (getpwent)
| but I haven't found well the rest. ;-) Could anyone give me some hints
| for names I can look up?

You've almost got everything you need for classical passwords (/etc/passwd
passwords). You're missing crypt(3) and strcmp(3). See passwd(5) for some details.

The first two characters of the encrypted password (retrieved by getpwent()
are the crypt(3) 'salt' used to create the encrypted password.

Shadow passwords (/etc/shadow) are different. If the classical password is a
single byte string "x", then you'll want shadow(5) and getspent(3)

Finally, if you're using PAM, then I can't help you at all.

- --
Lew Pitcher

Master Codewright & JOAT-in-training | GPG public key available on request
Registered Linux User #112576 (http://counter.li.org/)
Slackware - Because I know what I'm doing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAtT7jagVFX4UWr64RAjerAJ9b8jHx53D1ZJyJ4lKjxSn0g0OJiACgjpja
JFNTK3jD2RHCz3dCFuLBqHE=
=36Ti
-----END PGP SIGNATURE-----

Kasper Dupont

unread,
May 27, 2004, 12:09:38 AM5/27/04
to
Lew Pitcher wrote:
>
> You've almost got everything you need for classical passwords (/etc/passwd
> passwords). You're missing crypt(3) and strcmp(3). See passwd(5) for some details.

I have a bit of example code here:
http://www.daimi.au.dk/~kasperd/comp.os.linux.development.faq.html#crypt

>
> The first two characters of the encrypted password (retrieved by getpwent()
> are the crypt(3) 'salt' used to create the encrypted password.

Two characters for DES based passwords. The MD5 based
passwords use a longer salt. But you don't even need
to know about that to verify a password.

>
> Shadow passwords (/etc/shadow) are different. If the classical password is a
> single byte string "x", then you'll want shadow(5) and getspent(3)

And actually the source of the password and the coding
are orthogonal.

>
> Finally, if you're using PAM, then I can't help you at all.

I can't help either except from the URL above which
also contains a link to a bit of PAM documentation.

--
Kasper Dupont -- der bruger for meget tid paa usenet.
For sending spam use kas...@kd.lir.dk and ab...@kd.lir.dk
I'd rather be a hammer than a nail.

Lew Pitcher

unread,
May 27, 2004, 8:39:10 AM5/27/04
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kasper Dupont wrote:

> Lew Pitcher wrote:
[snip]


>>The first two characters of the encrypted password (retrieved by getpwent()
>>are the crypt(3) 'salt' used to create the encrypted password.
>
> Two characters for DES based passwords. The MD5 based
> passwords use a longer salt. But you don't even need
> to know about that to verify a password.

I hadn't thought about it that way.

No doubt that you can pass crypt() a pointer to the old encrypted password as
the 'salt' value, and let crypt() pick out the salt characters. That way, you
don't even care how long the salt should be as crypt() uses what it needs.

Well, I learn something new every day ;-)

Thanks!

[snip]


- --
Lew Pitcher
IT Consultant, Enterprise Application Architecture,
Enterprise Technology Solutions, TD Bank Financial Group

(Opinions expressed are my own, not my employers')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFAteFsagVFX4UWr64RAoGIAKDdS0C1GpEcD8nhRYDb5cCbVKtCugCaA0v9
SJwrnn8Jb0W10jXTDxN5G/A=
=XUQx
-----END PGP SIGNATURE-----

Lew Pitcher

unread,
May 27, 2004, 11:41:19 PM5/27/04
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kasper Dupont wrote:
| Lew Pitcher wrote:
|
|>You've almost got everything you need for classical passwords (/etc/passwd
|>passwords). You're missing crypt(3) and strcmp(3). See passwd(5) for some
details.
|
|
| I have a bit of example code here:
| http://www.daimi.au.dk/~kasperd/comp.os.linux.development.faq.html#crypt
|
|
|>The first two characters of the encrypted password (retrieved by getpwent()
|>are the crypt(3) 'salt' used to create the encrypted password.
|
|
| Two characters for DES based passwords. The MD5 based
| passwords use a longer salt. But you don't even need
| to know about that to verify a password.
|
|
|>Shadow passwords (/etc/shadow) are different. If the classical password is a
|>single byte string "x", then you'll want shadow(5) and getspent(3)
|
|
| And actually the source of the password and the coding
| are orthogonal.

The observation was meant more as a guide that, for a system that uses shadow
passwords, the OP couldn't compare the encrypted getpwent() password to the
encrypted getpass() password. Instead, the OP would have to be sensitive to
the contents of the getpwent() password, and if it consisted of the string
"x", compare against the getspent() password instead.


- --
Lew Pitcher

Master Codewright & JOAT-in-training | GPG public key available on request
Registered Linux User #112576 (http://counter.li.org/)
Slackware - Because I know what I'm doing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAtrTfagVFX4UWr64RAugxAKCnQI6EXDIP3Ekl/JHi9FjX7mF8KgCfYZZU
tZ/RPAeMxkr54Y4Gbk+2s8k=
=R6sm
-----END PGP SIGNATURE-----

Kasper Dupont

unread,
May 28, 2004, 12:36:20 AM5/28/04
to
Lew Pitcher wrote:
>
> The observation was meant more as a guide that, for a system that uses shadow
> passwords, the OP couldn't compare the encrypted getpwent() password to the
> encrypted getpass() password. Instead, the OP would have to be sensitive to
> the contents of the getpwent() password, and if it consisted of the string
> "x", compare against the getspent() password instead.

OK, that makes sense. But I guess if you use PAM you
wouldn't even have to worry about that. This is
something PAM should take care of. (I don't know much
about PAM though).

Dragan Cvetkovic

unread,
May 28, 2004, 9:04:00 AM5/28/04
to
Kasper Dupont <kas...@daimi.au.dk> writes:

> (I don't know much about PAM though).

Who does? It has always been rather misty to me, but I must confess I have
always been too lazy/busy to read Sun's documentation about it (as in
http://www.sun.com/blueprints/0902/816-7669-10.pdf and
http://www.sun.com/blueprints/1002/816-7670-10.pdf for Solaris 9). One day,
maybe ...

Bye, Dragan

--
Dragan Cvetkovic,

To be or not to be is true. G. Boole No it isn't. L. E. J. Brouwer

!!! Sender/From address is bogus. Use reply-to one !!!

Otto Wyss

unread,
May 28, 2004, 2:01:07 PM5/28/04
to
Lew Pitcher <Lew.P...@td.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kasper Dupont wrote:
>
> > Lew Pitcher wrote:
> [snip]

Thanks for all the suggestions, now I've a lot to look through.

0 new messages