PHP Password / Linux Admin Password Comparison

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
i have an application that should allow acces to linux administrators

iow, i want to code a php script that will be able to compare the
entered password with the linux adminstrator's password on the fedora
core 4 linux box.

can this be done?  if so, how?


Re: PHP Password / Linux Admin Password Comparison

is that possible since the passwords in UNIX are hidden in a file that
cannot be accessed by anyone other than the system? I believe it's a
"Shadow" file, that's what it's called. I'm not possitive on that


Re: PHP Password / Linux Admin Password Comparison

Kimmo Laine wrote:
Quoted text here. Click to load it

Unless next_page.php generates PHP, the script with this include will
only get HTML.

Quoted text here. Click to load it


    if (isset($_GET['foo'])) {
      echo '<?php echo $_GET[\'foo\']; ?>';
    } else {
      echo '<?php echo \'Not available\'; ?>';

File not found: (R)esume, (R)etry, (R)erun, (R)eturn, (R)eboot

Re: PHP Password / Linux Admin Password Comparison

Alright tia

First I have to say Alex's idea of using mysql to track usernames is a
better idea than mine and far safer than what I came up with. I urge
you to do what he suggested.

But if you think security is for wimps you could do the following

Use a script that calls the su command to try and change to an user,
then use whoami to see if the user name has changed to what you wanted.
If the username has changed then the password was correct.

This script will do it for you...


//Change these two
$username = "root";
$password = "yeahright";

//next line not necessary, just for the test
exec( "whoami" , $whoamiThen  );

$desc = array(
  0 => array("pipe","r"),    //stdin for sending password to su command
  1 => array("pipe","w"),    //stdout, to collect the result of whoami

//execute su command and open stdin/stdout pipes
$pr = proc_open( "/bin/su $username -c \"whoami\"" , $desc , $pipes );

//su will be now waiting for a password,
fwrite( $pipes[0] , "$password\n"  );
fclose( $pipes[0] );

//only if password is correct the whoami command is now run ( from the
commandline option '-c "whoami"' in 1st argument to proc_open )
$whoamiNow = fgets( $pipes[1] );
fclose( $pipes[1] );

//close process
$ret = proc_close($pr);

print "I was <br>I am now $whoamiNow\n<br>";
echo "Returned: $ret";

if( $whoamiNow == $username ) {
    //password is good
} else {
    //at least track i.p. address, time and especially limit to 3
incorrect attempts then block ip/username from more tries


On my system the result was:

I was wwwrun
I am now root
Returned: 0

This script is very very risky, as it is now it allows anyone on the
net unlimited attempts to guess the root password.

If you use it then use get_magic_quotes and addslashes to prevent code
injection with the $username and make sure people are blocked after a
few incorrect attempts, delayed in between attempts and log everything.
It would be best if you block everyone not on a trusted i.p. address.


Re: PHP Password / Linux Admin Password Comparison

thaks for the input.  i agree this is a security nightmare, but the
product engineer wants to do this.  the product is a stand alone
product.  the laptop is hooked up directly to the product and the
product has no internet access.  however, if the laptiop was wirelessly
on a network while accessing the product, security might be an issue.

i think the goal of the product engineer is as follows:

1. only allow a person who has root access to access the product's
2. if the root password is changed, the password for the program should
be changed, too - thus enabling the root password holder access w/o the
pain of setting the password twice.

i am using a xml file as a db, however, that wouldn't meet criteria #2
above, unless there was a way to automatically update the password in
the file when the root password was updated.

obviously, i wouldn't want this in plain text. ;-)

my thought is to get the encrypted value of the root password into php
(not the actual password, mind you) into php and then compare it to the
encrypted value of the user input.

1. i'd need to have access to the encrypted root password (link,
symlink, maybe).
2. i'd need to know the encryption method so i could duplicate the
process in php and compare the encrypted password values.

is this doable?

i will mull over tihu's code and see if it applies to this case.  the
product shouldn't be connected to the net, but i don't know if the
accessing laptop will be connected to the internet while accessing the

Site Timeline