# Simple way to verify user passwords from a shell or web script



## varda (Apr 20, 2012)

Hello gentlemen.

Please suggest simple or right way to verify user passwords from a shell or web script. I'm planning to implement a light user management interface. Currently I'm performing it against local ftp:

```
wget --spider --quiet "ftp://$user:$pass@localhost" >/dev/null 2>&1 && ... doing something useful ...
```

Thank you.


----------



## kr651129 (Jun 4, 2012)

I've never used curl in a shell script but I think you can from what I found?  Try that and let me know how it goes.


----------



## fluca1978 (Jun 4, 2012)

I'd use Perl to get the input password, encrypt it and check against the stored password. Something like the following:


```
#!/usr/bin/perl                                                      

my $password = $ARGV[0];
my $storedPassword = (getpwuid($<))[1];
my $encPassword = crypt( $password, "w582" );

print "Checking \n\t $encPassword \nagainst\n\t $storedPassword\n";

# print the encrypted password to stdout                             
if( crypt($password,"md5") == $storedPassword ){
    print "AUTHENTICATED!";
}
```

But I don't know how to get the right salt. Somebody can explain it better.


----------



## expl (Jun 4, 2012)

fluca1978 said:
			
		

> I'd use Perl to get the input password, encrypt it and check against the stored password.



It'd be more clean and portable if you would use bindings for pam(). Unless you are using some custom user hashes not the /etc/passwd ones. In either case don't use MD5 for password hashing, it's bad 'm kay?


----------



## SirDice (Jun 4, 2012)

It's not going to work as expected anyway. Apache (or any other web service) runs on the www/www account. It doesn't have access to /etc/master.passwd (where the hashes are stored).


----------



## expl (Jun 4, 2012)

SirDice said:
			
		

> It's not going to work as expected anyway. Apache (or any other web service) runs on the www/www account. It doesn't have access to /etc/master.passwd (where the hashes are stored).



This is also a good reason to use PAM.


----------



## fluca1978 (Jun 5, 2012)

Oops! I missed the "web script" part, I was thinking about a root script.


----------

