Software :: Check A String With Actual User Passwd (ie Password In /etc/shadow)?
Sep 24, 2009
I am trying to write a remote access module. Is there any function in linux where I can give string (password entered by user) and compare it with the actual user password stored in /etc/shadow. Since the password is stored encrypted in /etc/shadow I cannot parse and compare. So I want some method to compare if my user entered the correct password..Is there any function for that..
I started to work on building a ftp by vsftpd in our lab (that's only for our lab members). I am going to setup some the virtual users for each of the member. We have a CentOS5 (without upgrade after the fresh installation). I try several ways to setup the vsftpd for virtual users. 1) with db4 2) with mysql 3) without database and use htpasswd. But all fails. Actually, I don't want to use database, so I am going to find out the reason of failure on 'htpasswd' method
My vsftpd is installed in /etc/vsftpd (for only using ftp account, it is no problem to login).
1) I setup an account called vftpuser and build the corresponding home (/home/vftpuser), and then I setup another account call usera and also create a directory within /home/vftpuser.
2) I use htpasswd to add passwd to usera and store the passwd in /etc/vsftpd/passwd.
3) I added the name of usera to /etc/vsftpd/user_list
4) I create a directory /etc/vsftpd/user to store a unique conf for each user (for usera, the conf named usera) which contains the local root for users, which is
we know that /etc/passwd - is a replica of /etc/passwd file and acts as a backup in any damage done to /etc/passwd file..i have observed a strange thing in RHEL 5.4....for example... if /etc/passwd has 100 accounts.. then /etc/passwd - is having only 99 accounts....when i add 101 useraccount with "useradd" then /etc/passwd has 101 accounts and /etc/passwd is having the 100th account of /etc/passwd - ..when i delete /etc/passwd and recover it with /etc/passwd - from runlevel 1 the lastly created user is not having his account after recovery.. what is the solution? this is same case even with /etc/shadow and /etc/shadow -
I am bulding my own image based on 2.6.32 kernel, I wish to add a guest user:
In a script thats invoked by the makefile, I use 'useradd' command & this updates the shadow, passwd files under /etc on the host, is it possible to tell the command to create the shadow / password under some other folder on the host? may be /tmp?
Its 2 weeks i'm trying to configure freeradius2 on centos5 64bit after installed it from yum.all seems working, but i cant authenticate unix users.after digging in many sites its simply cant find user name and password ( ++[unix] returns notfound )Also how can i paste here all the radiusd -X log lines? i can't find any radius.log file.
I'm running RHEL 5. When using the GUI System>Administration>Users and Groups, I get the error: The user database cannot be read. This problem is most likely caused by a mismatch between /etc/passwd and /etc/shadow or /etc/group and /etc/gshadow. The program will exit now.
Some research showed that I need to use vipw and vigr respectively to find an inconsistency between these two sets, which I did - to make it easy I copied each from [vipw | vigr] to an excel file and did =exact(%1, %2). There are no inconsistencies.
I have been working on Kerberos and Ldap Authentication on SUSE 11.3.
I was successful with Kerberos authentication and had no issue. then i moved to configure LDAP as i want to configure this authentication method for APACHE server.
Now after configuring ldap and pam, I am able to check the command 'getent shadow' with no issue and this command lists all the users of that OU too. but when i try getent passwd or getent group , it results nothing but local users.
I have the following two type of strings1: A/D2: A/C/DI am trying to write a subroutine to check whether all of the letters in string 1 appears in string 2. If yes, return true. If not, return false. In the above example, all the letters (A and D) in string 1 are also present in string 2, so I return true.
I am moving my Linux server from Suse 10 to Ubuntu 9.04 and I moved the significant parts of /etc/shadow, /etc/passwd, and /etc/group over to Ubuntu 9.04. I am not able to login into the computer with the old accounts. The only problem I see is that the old accounts use Blowfish and DES to encrypt the passwords in /etc/shadow, and Ubuntu uses SHA512. If I change the passwords, the accounts will work. However; I have about 300 accounts to move, and I don't want to do that to all of them. I have tired Ubuntu Forums and talked to every linux expert I know, and no one has an answer.
Today i was going through some of security guides written on linux .Under shadow file security following points were mentioned.1)The encrypted password stored under /etc/shadow file should have more than 14-25 characters.2)Usernames in shadow file must satisfy to all the same rules as usernames in /etc/passwd.3)password for application Username should display * if username is not locked.4)If a user is locked it should be displayed as ! as the first character in second field of shadow file.
Confusion for point 1 and 2:Now i m confused as why the encrypted password should be more than 14-25 characters.Also what rules to satisfy How to check it?Confusion for point 3 and 4:There are lot of users with * as second field i guess they are not locked but according to 4th point there are lot of users with ! as first characters.How would i check whether they are actually locked or not.I m posting the output of /etc/shadow and /etc/passwd files for the account.
The /etc/shadow file contains an id of $1$, $2$, $5$ or $6$ to show the encryption method used.A salt follows this,followed by the password hash.When a user is created and a password is set, a hash is RANDOMLY generated and used as the salt to the password hash. Everytime that user logs in, login checks /etc/shadow for the $id$ and salt and runs the password given by the user through the hash mechanism ($id$) using the salt in /etc/shadow.So basically does login look at /etc/shadow for the $id$ and salt to create a hash with which to compare to the /etc/shadow hash?question 2 - If my $id$ was $5$, which is sha256, how would i go about changing this? Like is there a shadow.conf or crypt.conf or something? Can i change it per user?
I noticed that our /etc/shadow file is readable on a patch I released for one of our in house linux boxes a while back ago. Could they use it to gain access the root account etc? Our passwords are all MD5 encrypted.
I would like to grep all values other than encrypted password from /etc/shadow fileFor example,each line consists of 8 fields separated with :/The only thing that I want not to print out is the contents between first : and second : (encrypted password)
I am working on building a customized ISO image of a server based on linux. The thing is after the server is installed and run for the first time, three users have to be created for the various services to run properly. I want this to be automated. To achieve this what is was thinking is automatically enter the user entries in the /etc/passwd and /etc/shadow files through init scripts when the server starts for the first time after the installation. I tried creating user and assigning password in one of my machine, and the /etc/passwd and the /etc/shadow entries of this user I copied it into the other machine and tried login in on the other machine and everything worked fine. How I am trying to achieve this.
I have Red Hat version 4 I was trying to change the root password with the passwd command.I get the error passwd: PAM [dlerror: /lib64/security/sufficient: cannot open shared object file: No such file or directory] I have change the password before.
i am new to debian. I need to know after booting sequence login shell appears to get username and password. so what happens when user puts username and password ?? how this given username and password are matched with /etc/shadow file ??
my another question is what is role of /etc/pam.d/ authenticating username and password ?? does it work with shadow file or not ?
All servers mentioned below run OpenSuSE, either 10 or 11.I am currently working on a few scripts that are meant to be used as part of a continuous integration setup. I am trying to keep these scripts reasonably secure, and so I have made sure that all the servers run these scripts only as a specific user (user1) that has permissions to basically nothing else. The problem I am currently running into is that I need to start and stop tomcat as user1 but this user doesn't have permissions to the tomcat rectory (only tomcat has execute permissions). I have a temporary workaround in place while I work on the scripts (I have an SSH key in place that allows me to SSH from user1o tomcat without a password and execute my commands that way) but it is not very secure. I have tried adding the following line to /etc/sudoers:
Code: tomcat localhost = NOPASSWD: /opt/tomcat/bin/startup.sh, /opt/tomcat/bin/shutdown.sh but it doesn't work as I expected it to. I tried a few different syntaxes for that line,
we are trying to make a policy decision whether to go with SSH user/passwd or PPK secure key ? our servers are hosted remotely by a hosting service. we were wondering which of these two models are more secure.e.g. i would tend to think that user/passwd with account lockouts upon failed attempts would be more secure because the other option exposes your server in case someone sneaks the PPK file or steals your whole computer.however, what makes me doubt myself is that Amazon Web Services EC2 cloud hosting uses PPK by default (although an instance's SSH config can be change to accommodate logging in but they don't endorse it).
I've been trying to write php or perl code to generate the sha-512 password hashes in fedora. I've been unable to do the hashing which is encoded in the shadow file on fedora core 11. Does anyone have php or perl code which provides the hashing algorithm. (All of my attempts result in the encrypted hashing being longer than 86 character -- the length that crypt says the sha-512 should be)
I have just got my Openldap server up and running howerver, I admit I'm a little confused about authenticating a client mechine to the server. When I create an account on the ldap server, does this mean that the server creates a user account in the /etc/passwd, or somewhere else on the server?