• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 569
  • Last Modified:

How to verify correct username and password

I need some direction for writing a security routine.  The idea is that a new security program will run prompting the user for a username/password.  The program will verify the password with the user's existing account.   If it is a good match, we will continue and run the requested application, otherwise, it will notify the user, ect.

The platform will be red hat.  I am hoping that the code to check the user's username/password can be written as a standalone c program or a shell/perl script.  Something like:

checkpassword username password

Where I can check the return status and act accordingly

I have been asked to support verifying the password with two configurations:
   1) the user account on the local redhat server
   2) a user account in a specified active directory,

 depending on the customer's preference.

I have found some references to using apache's htaccess command and some references to using PAM modules, but I am hoping the forum here can find a workable solution.

1 Solution
I think it is best in this case to use PAM as it will mean the C program doesn't need to worry about what exactly the user is being authenticated against.. just so long as you have the right authentication modules for what you need...
See here also: http://www.experts-exchange.com/Programming/Programming_Languages/Cplusplus/Q_21104620.html#11897622

I don't think running "checkpassword username password" would be a very good input method from a
security perspective as it makes it too easy for other programs running on the system to catch the information.

Programs run on the system by any user can possibly see the command line checkpassword was started
with, and if the password was on the command line, it may see that.

(Password should really be input after it is started)

I'm not at all experienced with PAM, or active directory, but I do know about how to handle option (1).

The standard way of verifying a password is to use a 1-way hash function, generally either DES or MD5 to scramble the input password, and then compare it to the stored (scrambled) password, which has been scrambled with the same routine. If they match, then the password is correct.

The C function call you use is crypt(3), which has a prototype that looks like

char *crypt(const char *key, const char *salt);

(most other languages will have a similar implementation, perl certainly does)

The key string contains the plaintext password, and the salt string is a few random characters used to ensure that users with the same password don't get the same hash. The return value is a pointer to the hashed string. The hashed string will have the salt prepended to it. This means that when verifying the password, you should pass the exisiting hashed string as the salt, and then compare the returned string to the existing hash.

Note that to do this verification, you will need read access to /etc/shadow which means you need to be root.

Having said all this, if you can find a solution using PAM which covers both this, and active directory, then by all means use it, since it'll probably be better than hand coding two seperate systems.

Regarding the use of a command line program, I agree that passing cleartext passwords as arguments is a bad idea. If you really have to though, be sure to copy argv[1] and argv[2] to some other local variable, then memset() them to zero, this way (I *think*) they won't be readable to other programs, like ps. Do this before you do anything else (note that there is still a race condition here). I assume that you are planning to use this command line proggy via a pipe, not from a shell. If you do the latter, then the cleartext password will be stored in the history file, which is a *very* bad thing. In general, only give password as cmd-line arg if you *really* have to.
jjhalkoAuthor Commented:
I found a solution by searching the CPAN perl library.  There are two libraries that provide what I am looking for in a fairly straight forward method.   Authen-PAM-0.14  and Authen-SimplePam-0.1.24.  I am still testing all the feature included, but I think it will do what I need.

Thanks to the expert community for some of the suggestions regarding the commandline.  I don't believe I can integrate the password check directly into the program , however, I think I can protect the password from being sent to the command line either through a tempfile and encrypting / unencrypting the password during the process.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now