Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How to verify correct username and password

Posted on 2004-09-02
Medium Priority
Last Modified: 2010-04-21
I need some direction for writing a security routine.  The idea is that a new security program will run prompting the user for a username/password.  The program will verify the password with the user's existing account.   If it is a good match, we will continue and run the requested application, otherwise, it will notify the user, ect.

The platform will be red hat.  I am hoping that the code to check the user's username/password can be written as a standalone c program or a shell/perl script.  Something like:

checkpassword username password

Where I can check the return status and act accordingly

I have been asked to support verifying the password with two configurations:
   1) the user account on the local redhat server
   2) a user account in a specified active directory,

 depending on the customer's preference.

I have found some references to using apache's htaccess command and some references to using PAM modules, but I am hoping the forum here can find a workable solution.

Question by:jjhalko
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 23

Accepted Solution

Mysidia earned 900 total points
ID: 11969761
I think it is best in this case to use PAM as it will mean the C program doesn't need to worry about what exactly the user is being authenticated against.. just so long as you have the right authentication modules for what you need...
See here also: http://www.experts-exchange.com/Programming/Programming_Languages/Cplusplus/Q_21104620.html#11897622

I don't think running "checkpassword username password" would be a very good input method from a
security perspective as it makes it too easy for other programs running on the system to catch the information.

Programs run on the system by any user can possibly see the command line checkpassword was started
with, and if the password was on the command line, it may see that.

(Password should really be input after it is started)


Expert Comment

ID: 11980805
I'm not at all experienced with PAM, or active directory, but I do know about how to handle option (1).

The standard way of verifying a password is to use a 1-way hash function, generally either DES or MD5 to scramble the input password, and then compare it to the stored (scrambled) password, which has been scrambled with the same routine. If they match, then the password is correct.

The C function call you use is crypt(3), which has a prototype that looks like

char *crypt(const char *key, const char *salt);

(most other languages will have a similar implementation, perl certainly does)

The key string contains the plaintext password, and the salt string is a few random characters used to ensure that users with the same password don't get the same hash. The return value is a pointer to the hashed string. The hashed string will have the salt prepended to it. This means that when verifying the password, you should pass the exisiting hashed string as the salt, and then compare the returned string to the existing hash.

Note that to do this verification, you will need read access to /etc/shadow which means you need to be root.

Having said all this, if you can find a solution using PAM which covers both this, and active directory, then by all means use it, since it'll probably be better than hand coding two seperate systems.

Regarding the use of a command line program, I agree that passing cleartext passwords as arguments is a bad idea. If you really have to though, be sure to copy argv[1] and argv[2] to some other local variable, then memset() them to zero, this way (I *think*) they won't be readable to other programs, like ps. Do this before you do anything else (note that there is still a race condition here). I assume that you are planning to use this command line proggy via a pipe, not from a shell. If you do the latter, then the cleartext password will be stored in the history file, which is a *very* bad thing. In general, only give password as cmd-line arg if you *really* have to.

Author Comment

ID: 12005917
I found a solution by searching the CPAN perl library.  There are two libraries that provide what I am looking for in a fairly straight forward method.   Authen-PAM-0.14  and Authen-SimplePam-0.1.24.  I am still testing all the feature included, but I think it will do what I need.

Thanks to the expert community for some of the suggestions regarding the commandline.  I don't believe I can integrate the password check directly into the program , however, I think I can protect the password from being sent to the command line either through a tempfile and encrypting / unencrypting the password during the process.


Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question