First off, if you don't already know, the linux passwords are stored in the 
/etc/passwd file (unless you have a shadow suite installed, in which case 
/etc/shadow would be a good bet.) Basing this on a shadow file, the file is a 
text document with one user per line. The entries are stored in the following 
format: username:passwd:last:may:must:warn:expire:disable:reserved. All you 
really need for changing the password is the passwd section, although the 
other sections could be useful.

The password is not stored as plaintext, has been crypted (may be a new 
word...). Now, if you aren't familier with crypt, it is based on the DES, 
which is a symetrical algorithm. The password (called salt in this case) is a 
two character string chosen from [a-zA-Z0-9./]. This means there are (getting 
calculator out...) ((2)26+10+2)squared=4096 possible versions of the string.

Now I don't know if a different salt is used for each user or if it is 
uniform throughout. I'll put together a script that crypts my password with 
every salt string possible and checks it against my shadow file, then tries 
that salt with other passwords on my box. Fun project.

So basically, you would have to find the correct salt, crypt the new 
password, then use PHP's file functions to manipulate the passwd/shadow file- 
which brings up yet another problem- security. Do you really want to give PHP 
access to your passwd/shadow file??? Also, if I were you I would verify their 
old password too... just in case bob tries to change sue's password.

If anything in here is outdated or just plain wrong please tell me.

Evan Nemerson

PS i thought /usr/bin/md5 should exist so here:

#!/usr/local/bin/php -q

echo md5(trim(implode(" ",$argv)))."\n";

On Thursday 04 October 2001 07:28 pm, you wrote:
> What is the best way to change linux passwords using a web .PHP interface?
> I currently allow FTP access to php enabled webhosting sites; which use
> safe mode, thus use real linux accounts.
> Thus far I thought I would:
> Write a real short C program which would call allow to go
>         setpasswd <username> <passwd>
>         passwd could perhaps be the crypt() version to provide better
> security? it would just call passwd, and ensure that username is not 'root'
> and a few other accounts ;)
> Then I would put that program within the directory of executables allowed
> in safe mode. And just have a plain http post form to update the password,
> running over HTTPS.
> Does this seem a good plan ... or are there better?
> It also begs the question; how do I authenticate an account using php ...
> to login to their 'change password' feature? I have already spent alot of
> time trying to merge password files for different uses; Windows
> shares, Linux ones, for samba, and this and that, so it'd be nice to now
> have yet another passwd file :)
> Siggy

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to