View Full Version : How to check somebody's password?

08-25-2005, 03:59 AM
I'm writing a program that will need the user's password. The program should not have to be run as root, but it should work when run normally.

The user should type his login password, and the program should check if the password is right. I can't figure out how to do this. Can anybody help me?

int uid = getuid(); /* see who it is */
char[50] entered_passwd;

/* somehow check if entered_password is the user's password
* how do I do this?? */

if (password_is_correct) {
/* do something */
} else {
/* do something else */

08-25-2005, 08:30 AM
A simple one would be strcmp().

if (strcmp(str1, str2) == 0) {
// password is correct

Read the man page for strcmp for full details, but it will return 0 if the strings are the same.

08-25-2005, 10:18 AM
No, that's not what I need. I need some way to see if the password the user typed in is really his login password. I need to get the login password from somewhere, or I need a function which I can pass a string and it will check if it is the login password (the one stored encrypted in /etc/passwd, /etc/shadow or somewhere else depending on your Linux distribution).

08-25-2005, 10:45 AM
Rough guess
http://man.he.net/man3/getpwent - to get the current user info
http://man.he.net/man3/crypt - encrypt what the user types in (again)
Then compare the two values to see if they match...

08-26-2005, 12:20 AM
On my system, getpwuid(getuid())->pw_passwd only returns 'x'.

08-26-2005, 01:01 AM
So start reading around the subject then.

09-07-2005, 07:44 AM
Try looking at the manual for the things Salem suggested and look at shadow passwords

09-07-2005, 10:06 PM
or, moore simply, use the system login.

you can call it from your app, using it to perform the login and password checks.

09-10-2005, 10:17 AM
PAM also works really really good with programs like this:
also for crypt to encrypt the users password to MD5 (which is what all current linux distros use, i think)
for the salt have it start with $1$ followed by an 8 character salt, but since it is comparison of an already existing password make sure the salt is the same
for example:
if my password was $1$mysalt12$aXz13ajA/adnzei24kaAHifebn28 then when you do the string comparison
do something like


note: it is better to use snprintf because of the bounds checking.