The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpanel password encryption

Discussion in 'General Discussion' started by typhon, Sep 21, 2004.

  1. typhon

    typhon Well-Known Member

    Joined:
    Feb 17, 2004
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    hey guys...

    cpanel for the most part stores the username and passwords in /etc/shadow.

    my question is:
    they use md5 crypt. but what is the salt? i am trying to figure this out so i can create a centralized login system for my client area.

    thanks

    mike
     
  2. typhon

    typhon Well-Known Member

    Joined:
    Feb 17, 2004
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Okay I worked something up that works... The salt was just the already made password :-/ Look aside the messiness of this file for now as I wrote it in just a minute. I am just using it to demonstrate how to do this.

    The code is php and just looks to verify the username and password.

    Code:
    <?php
    
    //lets make the user list in the format: $array['username'] = 'password'
    $users = file_get_contents('/etc/shadow'); //grab user and pass file
    $users = explode("\n", $users); //create the users into an array
    
    // now lets create all the users into a multidimentional array
    foreach($users as $user){
    	$myuser[] = explode(':', $user);
    }
    
    //now lets get them into the format we wanted
    $users = array();
    foreach($myuser as $user){
    	// we dont want empty usernames, passwords or system running users.
    	if (empty($user[0]) || empty($user[1]) || $user[1] == '!!' || $user[1] == '*') {
    	    continue;
    	}
    	$users[$user[0]] = $user[1];
    }
    print_r($users); //lets print it out
    
    
    
    // the following code demonstrates how to check the username and password.
    if (CRYPT_MD5 == 1) {
    	$username = 'someuser';
    	$userpass = 'somepass';
    	if (!array_key_exists($username, $users)) {
    	    echo 'User does not exist!';
    		exit;
    	}
    	
    	$password = $users[$username];
    	
    	if (crypt($userpass, $users[$username]) == $users[$username]) {
    	   echo 'Password verified!';
    	}
    	else {
    		echo 'Password Mismatch!';
    	}
       
    }
    ?> 
    
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's how salting works. The salt used to encrypt the password should be random. To check a password you encrypt it using the resultant encrypted password as the salt to get a match (as you've found).
     
  4. Thaeke.com

    Thaeke.com Member

    Joined:
    Jul 14, 2004
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Groningen, The Netherlands
    You've made a php script which as far as I can see should work fine but there is one problem. To read the shadow file you need root acces. How can I implement this in my user verification script on my website so that if a valid user-password combination is entered in a form it starts a session and if not, they can't get acces to de memberarea.
     
  5. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    thats the catch...

    no easy solution as far as I know.
     
  6. Roy@ENHOST

    Roy@ENHOST Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    495
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Los Angeles California
    Is it possible to use this script to implement a 'keep me logged in' function?
     
  7. typhon

    typhon Well-Known Member

    Joined:
    Feb 17, 2004
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    most likely not.

    what i am doing with the information in the shadow document is creating a database with the users and the passwords that are already encrypted then encrypting them again. from that you would need to create a custom script for them to login and out most likely using curl to do this, so if they are not logged in and they have a cookie and possibly still an active session you would need to have something like a php script grab those values then log them in.

    may be pretty time consuming.
     
Loading...

Share This Page