PDA

View Full Version : How to check somebody's password?



marinus
08-25-2005, 03:59 AM
I'm writing a program that will need the user's password. The program should not have to be run as root, but it should work when run normally.

The user should type his login password, and the program should check if the password is right. I can't figure out how to do this. Can anybody help me?


int uid = getuid(); /* see who it is */
char[50] entered_passwd;

/* somehow check if entered_password is the user's password
* how do I do this?? */

if (password_is_correct) {
/* do something */
} else {
printf("Wrong!\n");
/* do something else */
}

Lateralus
08-25-2005, 08:30 AM
A simple one would be strcmp().



if (strcmp(str1, str2) == 0) {
// password is correct
}


Read the man page for strcmp for full details, but it will return 0 if the strings are the same.

marinus
08-25-2005, 10:18 AM
No, that's not what I need. I need some way to see if the password the user typed in is really his login password. I need to get the login password from somewhere, or I need a function which I can pass a string and it will check if it is the login password (the one stored encrypted in /etc/passwd, /etc/shadow or somewhere else depending on your Linux distribution).

Salem
08-25-2005, 10:45 AM
Rough guess
http://man.he.net/man3/getpwent - to get the current user info
http://man.he.net/man3/crypt - encrypt what the user types in (again)
Then compare the two values to see if they match...

marinus
08-26-2005, 12:20 AM
On my system, getpwuid(getuid())->pw_passwd only returns 'x'.

Salem
08-26-2005, 01:01 AM
So start reading around the subject then.

Longie
09-07-2005, 07:44 AM
Try looking at the manual for the things Salem suggested and look at shadow passwords

Jaqui
09-07-2005, 10:06 PM
or, moore simply, use the system login.

you can call it from your app, using it to perform the login and password checks.

Lynux-Penguin
09-10-2005, 10:17 AM
PAM also works really really good with programs like this:
http://www.google.com/search?q=Pluggable+Authentication+Module
also for crypt to encrypt the users password to MD5 (which is what all current linux distros use, i think)
for the salt have it start with $1$ followed by an 8 character salt, but since it is comparison of an already existing password make sure the salt is the same
for example:
if my password was $1$mysalt12$aXz13ajA/adnzei24kaAHifebn28 then when you do the string comparison
do something like


sprintf(user_pass,"$1$mysalt12$%s",crypt(typed_password,"$1$mysalt12"));

note: it is better to use snprintf because of the bounds checking.

-LC