PDA

Click to See Complete Forum and Search --> : Password Encryption Check

garfvader
01-16-2004, 04:49 PM
Hello!

I've been doing searches on google and through perl databases and what not and am having some trouble coming up with an answer to this one.

I'm in a situation where I have a Unix server with a big huge password file. I'd like the usernames and passwords from this file to be utilized in an htpasswd file so I can link an htaccess to these already preexisting usernames and passwords.

That's not a problem. The problem is I'd like to be able to set up the login for the users using a perl script. When I go to check their password (since the password field sends just text), I need to encrypt it and then check to see if it matches the password in the htpasswd file. Unfortunately, I don't know how to encrypt these passwords to match the passwords in that file. Could anyone give me some advice or tips to at least get me pointed in the right direction? It would be much appreciated.

Thanks!
AdamGundry
01-17-2004, 03:57 AM
IIRC, you will need to use the crypt() function: http://www.perldoc.com/perl5.8.0/pod/func/crypt.html

Adam
garfvader
01-17-2004, 10:49 AM
Well hmm I wasn't really descriptive enough. I already know about the crypt function. My problem is that when I encrypt a password using my perl program, it does not match the encrypted form of the password in my htpasswd file.

So I'm not sure perhaps if maybe I need to know what sort of salt to use or what. Essentially I need to have my perl program encrypt a password the same way that htaccess for apache encrypts the password.

That's where I'm stuck :P
AdamGundry
01-17-2004, 03:14 PM
According to this page (http://www.faqts.com/knowledge_base/view.phtml/aid/2133/fid/386), you need to use the first two characters from the password as the salt. Alternatively, your Apache system may be using another algorithm (I believe SHA and a variant of MD5 can also be used).

Adam
garfvader
01-17-2004, 09:01 PM
Hmmmm very interesting! Thanks for the link!
That at least gives me an idea of what's going on when apache is encrypting the passwords.

I think we're using nisplus. I'm not sure what sort of encryption that's adding to it though :P
garfvader
01-18-2004, 12:13 PM
Ah ha figured it out! The reason I couldn't get my password to match is because I needed to take the first two characters of the already preexisting encrypted password and use that as the salt as opposed to the first two characters of the password they enter.

Since I'm not letting users create passwords with my form, just check them, that was the solution. Thanks guys!