>Hi Tim,
>
>I'm not totally sure, but I don't think this will work. You could parse the
>passwd file to get the usernames, but the passwords are encrypted. Since
>you don't have the system's decryption key, you would not be able to
>determine the password. If you just used what is in /etc/shadow it would
>not match the password that the users enter when they try to authenticate
>in Django.
>
Depending on the system, they may not even be decrypted -- rather
they are some sort of hash with a system (random) seed (the first two
characters I believe are the seed).
System authentication then relies upon finding the user in the
passwd file (and if used, the shadow file), extracting the hash, using
the first two characters of the stored hash value as a seed to hash the
password supplied by the user, and seeing if that matches the rest of
the saved hash. The seed is randomly generated to minimize the chance
that two users with the same password produce the same value in the
passwd/shadow file(s)..
http://en.wikipedia.org/wiki/Crypt_%28Unix%29#Library_Function_crypt.283.29
(hmm, terminology fault -- I used "seed" but the formal term appears to
be "salt")
--
Wulfraed Dennis Lee Bieber AF6VN
wlfraed@ix.netcom.com HTTP://wlfraed.home.netcom.com/
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment