[BusyBox] how does passwd work

Ralph Siemsen ralphs at netwinder.org
Fri Feb 25 16:42:11 UTC 2005


Ihno Krumreich wrote:
> Hi,
> 
> some small correction. The encrypted password in /etc/passwd
> is not a md5 sum, but a des encrypted string.

If the code is to be at all portable, assumptions like this should not 
be made.  The password might be DES with salt, might be md5, might be 
stored in /etc/shadow and instead of /etc/password, etc.

A relatively painless way to handle setting the password from a script 
is to make use of the passwd command - it will know the correct format 
on the system it runs on.  I have used the following approach:

(echo NEWPASS; sleep 1; echo NEWPASS) | passwd USERNAME

Some versions of "passwd" also accept the password as a parameter on the 
commandline, or on stdin like so:

echo PASSWORD | /usr/bin/passwd --stdin USERNAME

Of course, the above is not terribly secure since the cleartext can be 
(briefly) seen in the process list (eg. "ps ax" output).  You can fix 
that by opening a pipe to the passwd program from your CGI, and sending 
the input directly.  Or if you do not allow users to login then there is 
  no issue either.

-Ralph



More information about the busybox mailing list