[ale] Verifying a MD5 password?

cfowler cfowler at outpostsentinel.com
Thu Feb 27 15:46:07 EST 2003


You do not have to cut the first 12 chars out.  crypt() is coded to do
that for you.  Just pass the whole thing as the salt.


On Thu, 2003-02-27 at 15:37, Jerry Z. Yu wrote:
> 	take the salt from /etc/shadow. first 12-char string for MD5, or 
> first 2 char for DES (the traditional crypt). 
> 
> 
> 	cfowler:$1$l/RFR3qH$O18qXpGgDpbKm.ERbqtUe0:11824:0:99999:7:::
> 
> 	$realPassHashedByMD5 = '$1$l/RFR3qH$O18qXpGgDpbKm.ERbqtUe0';
> 	$salt = '$1$l/RFR3qH$' ;
> 	$input = 'cfowler';
> 	$inputHashedByMD5 = crypt($input, $salt);
> 
> 	if ( $realPassHashedByMD5 == $inputHashedByMD5 ) {
> 			printf("matched\n");
> 	} else
> 	{ printf("go away\n");
> 	
> 
> On 27 Feb 2003, cfowler wrote:
> 
> #
> #
> #
> #On Thu, 2003-02-27 at 14:59, Robert L. Harris wrote:
> #> 
> #> 
> #> crypt does md5 now?
> #
> #
> #GNU EXTENSION
> #       The glibc2 version of this function has the following additional 
> #       features.  If salt is a character string starting  with the three
> #       characters "$1$" followed by at most eight characters, and
> #       optionally terminated by "$", then instead of using the DES
> #       machine, the glibc crypt function uses an MD5-based algorithm,
> #       and outputs up to 34 bytes, namely "$1$<string>$", where
> #       "<string>" stands for the up to 8 characters following "$1$" in
> #       the salt, followed by 22 bytes chosen from the set
> #       [a-zA-Z0-9./].  The entire key is significant here (instead of
> #       only the first 8 bytes).
> #       Programs using this function must be linked with -lcrypt.
> #
> #
> #> 
> #> Thus spake cfowler (cfowler at outpostsentinel.com):
> #> 
> #> > use crypt(3).  It is the most commonly used to do this kinda thing.
> #> > 
> #> > if(strcmp(encrypted,
> #> >  crypt("this is my plain-text password", encryptedpassed)) == 0) {
> #> >   printf("Password Match");
> #> > } else {
> #> >   printf("Invalid password");
> #> > }
> #> > 
> #> > Perl may have the capability to use crypt.
> #> > 
> #> > 
> #> > On Thu, 2003-02-27 at 14:52, Robert L. Harris wrote:
> #> > > 
> #> > > 
> #> > > We're trying to write a script that can verify passwords against md5
> #> > > password entries.  We've got a good mechanism to get the password from
> #> > > /etc/shadow but something in the actual computation of the md5 hash of
> #> > > the user input is not right.
> #> > > 
> #> > > Anyone have a good command line or HOWTO I can read through?
> #> > > 
> #> > > A couple combinations we've tried:
> #> > > 
> #> > > salt=spudpeel
> #> > > password=foo
> #> > > 
> #> > > #
> #> > > echo -n "foospudpeel" | openssl md5 -binary | openssl base64
> #> > > u9FAH8zsyXmwYX3pBqLd6Q==
> #> > > 
> #> > > # trying with a base64 encoded salt
> #> > > echo -n "foodc3B1ZHBlZWw=" | openssl md5 -binary | openssl base64
> #> > > JmyoP+AVagwGzN0uLF4Mow==
> #> > > 
> #> > > 
> #> > > We've only found a couple docs on how the md5 password hash's are
> #> > > generated, nothing that flat out says "do x, do y, do z, shove it in a
> #> > > file"...
> #> > > 
> #> > > Robert
> #> > > 
> #> > > 
> #> > > 
> #> > > :wq!
> #> > > ---------------------------------------------------------------------------
> #> > > Robert L. Harris                     | PGP Key ID: E344DA3B
> #> > >                                          @ x-hkp://pgp.mit.edu 
> #> > > DISCLAIMER:
> #> > >       These are MY OPINIONS ALONE.  I speak for no-one else.
> #> > > 
> #> > > Diagnosis: witzelsucht  	
> #> > > 
> #> > > IPv6 = robert at ipv6.rdlg.net	http://ipv6.rdlg.net
> #> > > IPv4 = robert at mail.rdlg.net	http://www.rdlg.net
> #> > -- 
> #> > "The Law of Leaky Abstractions"
> #> > There is a time where abstractions lead to the inablity to 
> #> > fix problems that leak through the abstraction.
> #> > http://www.joelonsoftware.com/articles/LeakyAbstractions.html
> #> > 
> #> > _______________________________________________
> #> > Ale mailing list
> #> > Ale at ale.org
> #> > http://www.ale.org/mailman/listinfo/ale
> #> 
> #> :wq!
> #> ---------------------------------------------------------------------------
> #> Robert L. Harris                     | PGP Key ID: E344DA3B
> #>                                          @ x-hkp://pgp.mit.edu 
> #> DISCLAIMER:
> #>       These are MY OPINIONS ALONE.  I speak for no-one else.
> #> 
> #> Diagnosis: witzelsucht  	
> #> 
> #> IPv6 = robert at ipv6.rdlg.net	http://ipv6.rdlg.net
> #> IPv4 = robert at mail.rdlg.net	http://www.rdlg.net
> #-- 
> #"The Law of Leaky Abstractions"
> #There is a time where abstractions lead to the inablity to 
> #fix problems that leak through the abstraction.
> #http://www.joelonsoftware.com/articles/LeakyAbstractions.html
> #
> #_______________________________________________
> #Ale mailing list
> #Ale at ale.org
> #http://www.ale.org/mailman/listinfo/ale
> #
> 
> Jerry Z. Yu				+1-404-487-8544 (O)
> systems engineer			z.yu at voicecom.com
> is support, voicecom, llc		www.voicecom.com
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
"The Law of Leaky Abstractions"
There is a time where abstractions lead to the inablity to 
fix problems that leak through the abstraction.
http://www.joelonsoftware.com/articles/LeakyAbstractions.html

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list