How to verify correct username and password

Posted on 2004-09-02
Last Modified: 2010-04-21
I need some direction for writing a security routine.  The idea is that a new security program will run prompting the user for a username/password.  The program will verify the password with the user's existing account.   If it is a good match, we will continue and run the requested application, otherwise, it will notify the user, ect.

The platform will be red hat.  I am hoping that the code to check the user's username/password can be written as a standalone c program or a shell/perl script.  Something like:

checkpassword username password

Where I can check the return status and act accordingly

I have been asked to support verifying the password with two configurations:
   1) the user account on the local redhat server
   2) a user account in a specified active directory,

 depending on the customer's preference.

I have found some references to using apache's htaccess command and some references to using PAM modules, but I am hoping the forum here can find a workable solution.

Question by:jjhalko
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 23

Accepted Solution

Mysidia earned 300 total points
ID: 11969761
I think it is best in this case to use PAM as it will mean the C program doesn't need to worry about what exactly the user is being authenticated against.. just so long as you have the right authentication modules for what you need...
See here also:

I don't think running "checkpassword username password" would be a very good input method from a
security perspective as it makes it too easy for other programs running on the system to catch the information.

Programs run on the system by any user can possibly see the command line checkpassword was started
with, and if the password was on the command line, it may see that.

(Password should really be input after it is started)


Expert Comment

ID: 11980805
I'm not at all experienced with PAM, or active directory, but I do know about how to handle option (1).

The standard way of verifying a password is to use a 1-way hash function, generally either DES or MD5 to scramble the input password, and then compare it to the stored (scrambled) password, which has been scrambled with the same routine. If they match, then the password is correct.

The C function call you use is crypt(3), which has a prototype that looks like

char *crypt(const char *key, const char *salt);

(most other languages will have a similar implementation, perl certainly does)

The key string contains the plaintext password, and the salt string is a few random characters used to ensure that users with the same password don't get the same hash. The return value is a pointer to the hashed string. The hashed string will have the salt prepended to it. This means that when verifying the password, you should pass the exisiting hashed string as the salt, and then compare the returned string to the existing hash.

Note that to do this verification, you will need read access to /etc/shadow which means you need to be root.

Having said all this, if you can find a solution using PAM which covers both this, and active directory, then by all means use it, since it'll probably be better than hand coding two seperate systems.

Regarding the use of a command line program, I agree that passing cleartext passwords as arguments is a bad idea. If you really have to though, be sure to copy argv[1] and argv[2] to some other local variable, then memset() them to zero, this way (I *think*) they won't be readable to other programs, like ps. Do this before you do anything else (note that there is still a race condition here). I assume that you are planning to use this command line proggy via a pipe, not from a shell. If you do the latter, then the cleartext password will be stored in the history file, which is a *very* bad thing. In general, only give password as cmd-line arg if you *really* have to.

Author Comment

ID: 12005917
I found a solution by searching the CPAN perl library.  There are two libraries that provide what I am looking for in a fairly straight forward method.   Authen-PAM-0.14  and Authen-SimplePam-0.1.24.  I am still testing all the feature included, but I think it will do what I need.

Thanks to the expert community for some of the suggestions regarding the commandline.  I don't believe I can integrate the password check directly into the program , however, I think I can protect the password from being sent to the command line either through a tempfile and encrypting / unencrypting the password during the process.


Featured Post

More Than Just A Video Library

Train for your certification. Learn the latest DevOps tools. Grow your skillset to do better work.

At Linux Academy, we release new training modules every week so you'll always be up to date on the latest tech.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question