Python Enter Password And Compare to Shadowed Password Database

Question

Good Day.

Im trying to write a python script that will take a captured password then compare it to the system shadowed password.

Im using Ubuntu 12.10 for this test. and running the script as sudo.

def login(user, password):
    "Check if user would be able to login using password"
    try:
        pw1 = spwd.getspnam(user)[1]
        allus = spwd.getspall()
        print pw1
        # pw2 = crypt.crypt(password, pw1[:2])
        pw2 = crypt.crypt(password, '\$6\$SALTsalt\$')
        print pw2
        return pw1 == pw2
    except KeyError:
        return 0 # no such user

Now the above returns

2 diferent passwords but i do get the one from the shadowed.

So my question is how do i encrypt the supplied password so i can compare it to the one retreived. Any Help would be awsome

Edit addon

def login(user, password):
 "Check if user would be able to login using password"
 try:
    pw1 = spwd.getspnam(user)[1]
    allus = spwd.getspall()
  #        print allus
    print pw1
  #        pw2 = crypt.crypt(password, pw1[:2])
  # pw2 = crypt.crypt(password, '\$6\$SALTsalt\$')
pw2 =hashlib.new()
pw2.update(password)
pw2.digest()

    print pw2
    return pw1 == pw2
 except KeyError:
    return 0 # no such user

That also did not work How does one impliment the haslib to get the hash to match system password

Answer 1

I've made an example on how to authenticate using shadowed passwords. I added some comments to let the code speak for itself.

Some extra info:

• https://en.wikipedia.org/wiki/Passwd#Shadow_file
• http://docs.python.org/2/library/spwd.html
• http://docs.python.org/2/library/crypt.html

Also note (from the crypt module docs):

This module implements an interface to the crypt(3) routine, which is a one-way hash function based upon a modified DES algorithm; see the Unix man page for further details. Possible uses include allowing Python scripts to accept typed passwords from the user, or attempting to crack Unix passwords with a dictionary.

Notice that the behavior of this module depends on the actual implementation of the crypt(3) routine in the running system. Therefore, any extensions available on the current implementation will also be available on this module.

This is also why you cannot use hashlib without problems.

import crypt # Interface to crypt(3), to encrypt passwords.
import getpass # To get a password from user input.
import spwd # Shadow password database (to read /etc/shadow).

def login(user, password):
    """Tries to authenticate a user.
    Returns True if the authentication succeeds, else the reason
    (string) is returned."""
    try:
        enc_pwd = spwd.getspnam(user)[1]
        if enc_pwd in ["NP", "!", "", None]:
            return "user '%s' has no password set" % user
        if enc_pwd in ["LK", "*"]:
            return "account is locked"
        if enc_pwd == "!!":
            return "password has expired"
        # Encryption happens here, the hash is stripped from the
        # enc_pwd and the algorithm id and salt are used to encrypt
        # the password.
        if crypt.crypt(password, enc_pwd) == enc_pwd:
            return True
        else:
            return "incorrect password"
    except KeyError:
        return "user '%s' not found" % user
    return "unknown error"

if __name__ == "__main__":
    username = raw_input("Username:")
    password = getpass.getpass()
    status = login(username, password)
    if status == True:
        print("Logged in!")
    else:
        print("Login failed, %s." % status)