Unix Shell Password Check

[kbjradmin]

I am writing a script to lock a unix system but not logout.
When the script is run, I want it to provide a prompt for the user to enter their password to unlock the system.

How can I check this to make sure it is their password?

[woiwky]

Assuming there's more than one user, you'll need to use some form of a database. A flat-file db would work fine, but a db like mysql could work as well. With a flat-file db, you'll need to look for a username/password match in the file. With mysql, you'll need to execute a query such as:

mysql -u username -p password -D database -e "SELECT id FROM users WHERE password = '$password' AND username = '$username'"

And as for making the password not show up as they type, use 'stty -echo' before the prompt to enter data. You should then use 'stty echo' after they enter it to show the typed characters in further prompts.

[kbjradmin]

thank you woiwky. that's very helpful.

i'm new to unix, so i'm not sure; but will the sql query check for the users unix password, or is that for some other password, because i was not aware that unix used sql for it login information.

[xPlozion]

that would be a password stored in the db. unix stores the user's passwords somewhere in the /etc/ folder (i think it's /etc/passwd or /etc/shadow, but i could be wrong). a google search should come up helpful

[woiwky]

I think I see what you mean now. I was a little confused. You want to use the unix login info for this then?

In this case, like xPlozion said, you'll have to use the password file which is probably in /etc/passwd. If they're in /etc/shadow, then this makes it harder because the user needs the privilege to access this file. You could give all the users this privilege, but that will negate the security gain of having the data stored there.

In any case, you'll need to encrypt(crypt(3) I believe) the password they enter before comparing it to the value in the file. I'm not 100% sure about this part, but if you do a little research I'm sure you'll find the answer.

Once you have the encrypted password, it's as easy as comparing it to the data in the file.

[dbojan]

The password of *nix users is stored in /etc/shadow and it's crypted and i don't think you can use crypt to see password, because everyone could do that and have your password. You probably need some api function, google will help you.

[woiwky]

The passwords cannot be decrypted, but they can be compared to another encrypted password for verification. How else would you be able to login?

[kbjradmin]

thank you, everyone; i think i understand now.

[dbojan]

@woiwky dude it's not like php. In php we have only one way crypting. But in *nix we have crypt and decrypt so it would be easy to find password if it's like you said.

[woiwky]

@woiwky dude it's not like php. In php we have only one way crypting. But in *nix we have crypt and decrypt so it would be easy to find password if it's like you said.

Do you understand what the topic here is(or was)? There's no php involved. Although I will say that php certainly provides more than one method of encryption.

Furthermore, even if a password is encrypted, as long as the encryption algorithm is known, it is possible to compare passwords. This is how a typical login system works.

Yes, the same process could be used for cracking passwords, and it is easy to setup, but it is not an easy method of cracking passwords(this is called brute force cracking by the way). Unless the password is weak, it would take far too long to crack in most cases.