[BusyBox] how does passwd work
Ralph Siemsen
ralphs at netwinder.org
Fri Feb 25 16:42:11 UTC 2005
Ihno Krumreich wrote:
> Hi,
>
> some small correction. The encrypted password in /etc/passwd
> is not a md5 sum, but a des encrypted string.
If the code is to be at all portable, assumptions like this should not
be made. The password might be DES with salt, might be md5, might be
stored in /etc/shadow and instead of /etc/password, etc.
A relatively painless way to handle setting the password from a script
is to make use of the passwd command - it will know the correct format
on the system it runs on. I have used the following approach:
(echo NEWPASS; sleep 1; echo NEWPASS) | passwd USERNAME
Some versions of "passwd" also accept the password as a parameter on the
commandline, or on stdin like so:
echo PASSWORD | /usr/bin/passwd --stdin USERNAME
Of course, the above is not terribly secure since the cleartext can be
(briefly) seen in the process list (eg. "ps ax" output). You can fix
that by opening a pipe to the passwd program from your CGI, and sending
the input directly. Or if you do not allow users to login then there is
no issue either.
-Ralph
More information about the busybox
mailing list