[ale] Verifying a MD5 password?

Jerry Z. Yu z.yu at voicecom.com
Thu Feb 27 15:37:32 EST 2003


	take the salt from /etc/shadow. first 12-char string for MD5, or 
first 2 char for DES (the traditional crypt). 


	cfowler:$1$l/RFR3qH$O18qXpGgDpbKm.ERbqtUe0:11824:0:99999:7:::

	$realPassHashedByMD5 = '$1$l/RFR3qH$O18qXpGgDpbKm.ERbqtUe0';
	$salt = '$1$l/RFR3qH$' ;
	$input = 'cfowler';
	$inputHashedByMD5 = crypt($input, $salt);

	if ( $realPassHashedByMD5 == $inputHashedByMD5 ) {
			printf("matched\n");
	} else
	{ printf("go away\n");
	

On 27 Feb 2003, cfowler wrote:

#
#
#
#On Thu, 2003-02-27 at 14:59, Robert L. Harris wrote:
#> 
#> 
#> crypt does md5 now?
#
#
#GNU EXTENSION
#       The glibc2 version of this function has the following additional 
#       features.  If salt is a character string starting  with the three
#       characters "$1$" followed by at most eight characters, and
#       optionally terminated by "$", then instead of using the DES
#       machine, the glibc crypt function uses an MD5-based algorithm,
#       and outputs up to 34 bytes, namely "$1$<string>$", where
#       "<string>" stands for the up to 8 characters following "$1$" in
#       the salt, followed by 22 bytes chosen from the set
#       [a-zA-Z0-9./].  The entire key is significant here (instead of
#       only the first 8 bytes).
#       Programs using this function must be linked with -lcrypt.
#
#
#> 
#> Thus spake cfowler (cfowler at outpostsentinel.com):
#> 
#> > use crypt(3).  It is the most commonly used to do this kinda thing.
#> > 
#> > if(strcmp(encrypted,
#> >  crypt("this is my plain-text password", encryptedpassed)) == 0) {
#> >   printf("Password Match");
#> > } else {
#> >   printf("Invalid password");
#> > }
#> > 
#> > Perl may have the capability to use crypt.
#> > 
#> > 
#> > On Thu, 2003-02-27 at 14:52, Robert L. Harris wrote:
#> > > 
#> > > 
#> > > We're trying to write a script that can verify passwords against md5
#> > > password entries.  We've got a good mechanism to get the password from
#> > > /etc/shadow but something in the actual computation of the md5 hash of
#> > > the user input is not right.
#> > > 
#> > > Anyone have a good command line or HOWTO I can read through?
#> > > 
#> > > A couple combinations we've tried:
#> > > 
#> > > salt=spudpeel
#> > > password=foo
#> > > 
#> > > #
#> > > echo -n "foospudpeel" | openssl md5 -binary | openssl base64
#> > > u9FAH8zsyXmwYX3pBqLd6Q==
#> > > 
#> > > # trying with a base64 encoded salt
#> > > echo -n "foodc3B1ZHBlZWw=" | openssl md5 -binary | openssl base64
#> > > JmyoP+AVagwGzN0uLF4Mow==
#> > > 
#> > > 
#> > > We've only found a couple docs on how the md5 password hash's are
#> > > generated, nothing that flat out says "do x, do y, do z, shove it in a
#> > > file"...
#> > > 
#> > > Robert
#> > > 
#> > > 
#> > > 
#> > > :wq!
#> > > ---------------------------------------------------------------------------
#> > > Robert L. Harris                     | PGP Key ID: E344DA3B
#> > >                                          @ x-hkp://pgp.mit.edu 
#> > > DISCLAIMER:
#> > >       These are MY OPINIONS ALONE.  I speak for no-one else.
#> > > 
#> > > Diagnosis: witzelsucht  	
#> > > 
#> > > IPv6 = robert at ipv6.rdlg.net	http://ipv6.rdlg.net
#> > > IPv4 = robert at mail.rdlg.net	http://www.rdlg.net
#> > -- 
#> > "The Law of Leaky Abstractions"
#> > There is a time where abstractions lead to the inablity to 
#> > fix problems that leak through the abstraction.
#> > http://www.joelonsoftware.com/articles/LeakyAbstractions.html
#> > 
#> > _______________________________________________
#> > Ale mailing list
#> > Ale at ale.org
#> > http://www.ale.org/mailman/listinfo/ale
#> 
#> :wq!
#> ---------------------------------------------------------------------------
#> Robert L. Harris                     | PGP Key ID: E344DA3B
#>                                          @ x-hkp://pgp.mit.edu 
#> DISCLAIMER:
#>       These are MY OPINIONS ALONE.  I speak for no-one else.
#> 
#> Diagnosis: witzelsucht  	
#> 
#> IPv6 = robert at ipv6.rdlg.net	http://ipv6.rdlg.net
#> IPv4 = robert at mail.rdlg.net	http://www.rdlg.net
#-- 
#"The Law of Leaky Abstractions"
#There is a time where abstractions lead to the inablity to 
#fix problems that leak through the abstraction.
#http://www.joelonsoftware.com/articles/LeakyAbstractions.html
#
#_______________________________________________
#Ale mailing list
#Ale at ale.org
#http://www.ale.org/mailman/listinfo/ale
#

Jerry Z. Yu				+1-404-487-8544 (O)
systems engineer			z.yu at voicecom.com
is support, voicecom, llc		www.voicecom.com

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list