"Dr. Sharukh K. R. Pavri." proclaimed:
> Sorry, but I don't understand. What I always thought was that when you login
> and give a password, that password is encrypted and the result is compared
> to that already in a file (etc/password or etc/shadow) right ?
>
> So how come if the result of encrypting the same string seperately gives
> different results, does user authentication occur ?
> or am I going off at the deep end ?
The string under the password entry in /etc/passwd or /etc/shadow is not
exactly the encrypted password. It is a combination of the encrypted
password and the salt that was used.
Here is what happens when authentication occurs:
1. The password typed in by the user is passed to crypt() along with the
salt that was used when the user's password was first created (which is got
from the password entry in passwd or shadow).
2. The encrypted string is then compared against the encrypted string in
the password file. If they match, then the user is authenticated.
The trick is the salt. The salt is something that varies quite a bit. If
you and I choose the same word as our passwords, the salt used to encrypt
that word is different between us. This ensures that the entry in the
password file is not the same for both of us.
Thaths
--
"This is a very, very proud day for us! Especially me, your father, me,
beat City Hall! It's just like David and Goliath, only this time, David
won!" -- Homer J. Simpson
Sudhakar C13n http://www.aunet.org/thaths/ Lead Indentured Slave
----------------------------------------------
LIH is all for free speech. But it was created
for a purpose. Violations of the rules of
this list will result in stern action.
