Solved

How to verify correct username and password

Posted on 2004-09-02
3
540 Views
Last Modified: 2010-04-21
I need some direction for writing a security routine.  The idea is that a new security program will run prompting the user for a username/password.  The program will verify the password with the user's existing account.   If it is a good match, we will continue and run the requested application, otherwise, it will notify the user, ect.

The platform will be red hat.  I am hoping that the code to check the user's username/password can be written as a standalone c program or a shell/perl script.  Something like:

checkpassword username password

Where I can check the return status and act accordingly

I have been asked to support verifying the password with two configurations:
   1) the user account on the local redhat server
   2) a user account in a specified active directory,

 depending on the customer's preference.

I have found some references to using apache's htaccess command and some references to using PAM modules, but I am hoping the forum here can find a workable solution.



0
Comment
Question by:jjhalko
3 Comments
 
LVL 23

Accepted Solution

by:
Mysidia earned 300 total points
ID: 11969761
I think it is best in this case to use PAM as it will mean the C program doesn't need to worry about what exactly the user is being authenticated against.. just so long as you have the right authentication modules for what you need...
See here also: http://www.experts-exchange.com/Programming/Programming_Languages/Cplusplus/Q_21104620.html#11897622


I don't think running "checkpassword username password" would be a very good input method from a
security perspective as it makes it too easy for other programs running on the system to catch the information.

Programs run on the system by any user can possibly see the command line checkpassword was started
with, and if the password was on the command line, it may see that.

(Password should really be input after it is started)

0
 
LVL 2

Expert Comment

by:mishagale
ID: 11980805
I'm not at all experienced with PAM, or active directory, but I do know about how to handle option (1).

The standard way of verifying a password is to use a 1-way hash function, generally either DES or MD5 to scramble the input password, and then compare it to the stored (scrambled) password, which has been scrambled with the same routine. If they match, then the password is correct.

The C function call you use is crypt(3), which has a prototype that looks like

char *crypt(const char *key, const char *salt);

(most other languages will have a similar implementation, perl certainly does)

The key string contains the plaintext password, and the salt string is a few random characters used to ensure that users with the same password don't get the same hash. The return value is a pointer to the hashed string. The hashed string will have the salt prepended to it. This means that when verifying the password, you should pass the exisiting hashed string as the salt, and then compare the returned string to the existing hash.

Note that to do this verification, you will need read access to /etc/shadow which means you need to be root.

Having said all this, if you can find a solution using PAM which covers both this, and active directory, then by all means use it, since it'll probably be better than hand coding two seperate systems.

Regarding the use of a command line program, I agree that passing cleartext passwords as arguments is a bad idea. If you really have to though, be sure to copy argv[1] and argv[2] to some other local variable, then memset() them to zero, this way (I *think*) they won't be readable to other programs, like ps. Do this before you do anything else (note that there is still a race condition here). I assume that you are planning to use this command line proggy via a pipe, not from a shell. If you do the latter, then the cleartext password will be stored in the history file, which is a *very* bad thing. In general, only give password as cmd-line arg if you *really* have to.
0
 

Author Comment

by:jjhalko
ID: 12005917
I found a solution by searching the CPAN perl library.  There are two libraries that provide what I am looking for in a fairly straight forward method.   Authen-PAM-0.14  and Authen-SimplePam-0.1.24.  I am still testing all the feature included, but I think it will do what I need.

Thanks to the expert community for some of the suggestions regarding the commandline.  I don't believe I can integrate the password check directly into the program , however, I think I can protect the password from being sent to the command line either through a tempfile and encrypting / unencrypting the password during the process.



0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Have you ever been frustrated by having to click seven times in order to retrieve a small bit of information from the web, always the same seven clicks, scrolling down and down until you reach your target? When you know the benefits of the command l…
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now