Validating A User/Password Pair + Getting Groups On Unix
Kanenas
kanenas_ at t_comcast_d.t_net
Tue Mar 1 18:12:19 EST 2005
On Tue, 1 Mar 2005 09:45:26 -0600, Skip Montanaro <skip at pobox.com>
wrote:
> >> 1) Validate that the password is correct for that user *without
> >> actually logging in*.
> >>
> Kanenas> The 'pwd' module probably won't be able (and won't try) to read
> Kanenas> the shadow password file, so 'pwd' won't be of use.
>
>Note that an spwd module was recently added to Python's CVS repository. I
>imagine it will be in 2.5.
>
>Skip
It turns out 'pwd' uses the system 'getpwuid' and 'getpwnam' rather
than parsing /etc/passwd, so it can get the encrypted password if the
getpw* functions read the shadow passwd and the Python process has
EUID 0 (or whatever access rights getpw* use to determine when to
return the encrypted passwd). I misread (was misled by?) the 'pwd'
documentation:
"However most modern unices use a so-called shadow password
system. On those unices the field pw_passwd only contains a asterisk
('*') or the letter "x" where the encrypted password is stored in a
file /etc/shadow which is not world readable."
This is true if the getpw* don't read from the shadow passwd, which is
the case for Solaris and Linux. Linux and Solaris use getsp*, which
'spwd' is based on, to manage the shadow passwd. On OpenBSD and
FreeBSD, getpw* read from the shadow passwd and the getsp* don't
exist.
In summation, use 'pwd' to retrieve encrypted password on OpenBSD and
FreeBSD (and others?), 'spwd' on Linux and Solaris (and others?).
Assuming one goes this route.
--
Kanenas
More information about the Python-list
mailing list