Topic: matching linux encrypted passwords

Hi,

I am trying to port my application from PHP to RoR and am having trouble trying to authenticate users. I have taken the passwords from the linux system file /etc/shadow and stored them in mysql. In PHP I am using the following code to match the password entered by the user:

if (CRYPT_MD5 == 1) {

  if (crypt($password, $db_password) == $db_password) {
                       
    return('OK');

  }else{

    return('ERROR');
  }
}


The salt that crypt uses is the encrypted password itself. I have tried lots of different ways to get the same encrypted password in ruby but have not been able to figure this out. I'm also not sure if the passwords are using MD5 or DES encryption, I am assuming they are MD5 as this is what works in PHP but according some sources linux passwords are encrypted using DES encryption.

Thanks

Re: matching linux encrypted passwords

IIRC the hashing used on the shadow file in linux/unix is configurable and will vary depending on which distro you use and its configuration.

Typically though security for each application is handled by that application. Your RoR and PHP apps should store their own usernames and passwords and not rely on the shadow file.

Once you do that the type of hash you use is up to you and you don't need to worry about a system level config change breaking your app.

Re: matching linux encrypted passwords

Hi,

I actually need to use the passwords in /etc/shadow as ruby is interfacing with another application (that cannot be changed) and stores it's passwords in this way, mainly because they have shell accounts. The passwords will be accessed from the same machine (apart from testing) so should have the same crypt functions available to it. I just need to figure out how to access this through ruby.

Thanks

Re: matching linux encrypted passwords

What Linux distro and version number?

The thing about ruby is that, if it has an equivalent to the PHP crypt, I'm not sure that it uses the underlying system calls as often as PHP does. Odds are that the hashes are quite simply md5 or sha and you can do that directly, but its hard to say.

Got a link to the API spec for the PHP crypt() method?

Re: matching linux encrypted passwords

Hey jbartels,

I am using RHEL 4 and CentOS 4 server which are essentially the same. The php man page for the crypt() method is http://ca3.php.net/manual/en/function.crypt.php

I hope I'm going to be able to do this all in ruby, it would be a shame to have to handle authentication outside of ruby.

Re: matching linux encrypted passwords

Would Crypt or EzCrypto help you out?

Good luck. smile

Re: matching linux encrypted passwords

Hi Firanide,

I tried both of these but they give me different hashes than the ones stored in the /etc/shadow file so they must be using different encryption, or the salt is the issue. I'm not sure which.

Re: matching linux encrypted passwords

I managed to get this working by using the following code

user_submitted_password.crypt( encrypted_database_password )