f



user authentication via /etc/passwd|/etc/shadow

Hi,

I want to write a program where I authenticate users via the standard
unix system accounts. I didn't find a module providing this
functionality. Is there such a module available? If not, how can I
achieve this?

Marco

-- 
Marco Herrn             herrn@gmx.net
(GnuPG/PGP-signed and crypted mail preferred)
Key ID: 0x94620736

0
herrn1 (20)
4/4/2004 11:30:17 AM
comp.lang.python 77058 articles. 6 followers. Post Follow

7 Replies
458 Views

Similar Articles

[PageSpeed] 9

Marco Herrn wrote:
> I want to write a program where I authenticate users via the standard
> unix system accounts. I didn't find a module providing this
> functionality. Is there such a module available? If not, how can I
> achieve this?

You need a combination of the pwd and crypt modules. Lookup the name
of the user using the pwd module, and fetch the encrypted password.
Then use crypt.crypt for encryption; use the first two letters of
the encrypted password as the salt.

Be aware that some installations use MD5 passwords, which can be
recognized by starting with $1$ (or some such).

Regards,
Martin

0
ISO
4/4/2004 5:47:16 PM
On 2004-04-04, Martin v. L�wis <martin@v.loewis.de> wrote:
> Marco Herrn wrote:
>> I want to write a program where I authenticate users via the standard
>> unix system accounts. I didn't find a module providing this
>> functionality. Is there such a module available? If not, how can I
>> achieve this?
>
> You need a combination of the pwd and crypt modules.
It seems that the pwd module can only access /etc/passwd. If the
passwords are stored in /etc/shadow, it doesn't work. Is there a way to
access shadow passwords, too?

Marco

-- 
Marco Herrn             herrn@gmx.net
(GnuPG/PGP-signed and crypted mail preferred)
Key ID: 0x94620736

0
herrn1 (20)
4/4/2004 6:38:40 PM
Marco Herrn wrote:
> It seems that the pwd module can only access /etc/passwd. If the
> passwords are stored in /etc/shadow, it doesn't work. Is there a way to
> access shadow passwords, too?

No, support for shadow modules is currently not available. You might 
want to check out http://python.org/sf/579435 to see whether it helps
you. Comments in this SF patch submission on the usability of the
specific patch are appreciated.

Regards,
Martin

0
ISO
4/4/2004 7:11:06 PM
Marco Herrn wrote:

> I want to write a program where I authenticate users via the standard
> unix system accounts. I didn't find a module providing this
> functionality. Is there such a module available? If not, how can I
> achieve this?

You can try the python-pam module:

http://ftp.debian.org/debian/pool/main/p/python-pam/python-pam_0.4.2-10.1.tar.gz

Regards,
Dima.
0
dima1898 (1)
4/4/2004 9:40:34 PM
On 2004-04-04, Dima Barsky <dima@debian.org> wrote:
> Marco Herrn wrote:
>
>> I want to write a program where I authenticate users via the standard
>> unix system accounts. I didn't find a module providing this
>> functionality. Is there such a module available? If not, how can I
>> achieve this?
>
> You can try the python-pam module:
>
> http://ftp.debian.org/debian/pool/main/p/python-pam/python-pam_0.4.2-10.1.tar.gz

Thanks, I will try it.


-- 
Marco Herrn             herrn@gmx.net
(GnuPG/PGP-signed and crypted mail preferred)
Key ID: 0x94620736

0
herrn1 (20)
4/5/2004 12:38:50 PM
On 2004-04-04, Martin v. L�wis <martin@v.loewis.de> wrote:
> You need a combination of the pwd and crypt modules. Lookup the name
> of the user using the pwd module, and fetch the encrypted password.
> Then use crypt.crypt for encryption; use the first two letters of
> the encrypted password as the salt.
>
> Be aware that some installations use MD5 passwords, which can be
> recognized by starting with $1$ (or some such).

A question to this md5 and sha1 hashed passwords. The python modules for
these are different to the crypt module. Especially there is no salt. So
how would I compare a given password to a given hash? Just rehash the
password? Would the hash always be the same? I thought the salt was
there to improve security.

And how can I distinguish a these hash methods? For example I have a
hash. How do I find out which hash method was used for this? As I have
seen md5 hashs are always 128 bit long. When I have such a hash in hex
form, can I say if that hash string has a length of 32 it is definitely
a md5 hash, a length of 40 indicating a sha hash and a length of 13
indicating a crypt() hash?
And what about the prefix $1$ for md5? When this is available just cut
it off the hash? Are there any other forms of such prefixes? 

Sorry for this lot of questions. ;-)
Marco


-- 
Marco Herrn             herrn@gmx.net
(GnuPG/PGP-signed and crypted mail preferred)
Key ID: 0x94620736

0
herrn1 (20)
4/6/2004 8:52:54 PM
According to Marco Herrn  <herrn@gmx.net>:
> And what about the prefix $1$ for md5? When this is available just cut
> it off the hash? 

Yes, don't hash it.

> Are there any other forms of such prefixes? 

$ uname
FreeBSD

$ man 3 crypt
[...]
   Modular crypt:
     If the salt begins with the string $digit$ then the Modular Crypt Format
     is used.  The digit represents which algorithm is used in encryption.
     Following the token is the actual salt to use in the encryption.  The
     length of the salt is limited to 8 characters--because the length of the
     returned output is also limited (_PASSWORD_LEN).  The salt must be termi-
     nated with the end of the string (NULL) or a dollar sign.  Any characters
     after the dollar sign are ignored.

     Currently supported algorithms are:

           1.   MD5
           2.   Blowfish

I believe this $digit$ convention was invented by the BSDs.

Cheers.


-- 
Ng Pheng Siong <ngps@netmemetic.com> 

http://firewall.rulemaker.net -+- Firewall Change Management & Version Control
http://sandbox.rulemaker.net/ngps -+- ZServerSSL/Zope Windows Installers
0
ngps (100)
4/9/2004 12:12:50 PM
Reply: