User Authentication?

Creating a Perl script that verifies a user's name and password against the server we are running off of here. I have it down so that I can verify they are actually a user on the system with the following:

$pw = getpwnam($name) or die "No "+$name+" user";


My problem is I can't figure out how to then check the password to see if it's the same. Does anybody have any suggestions?

Thanks for any help you guys can give.

From O'Reilly's Perl In A Nutshell...Great Reference!

<snip>

crypt can be used to check that a password is correct by comparing the string from the function to the string found in /etc/passwd (if you have permission to do this):

if (crypt ($guess, $pass) eq $pass) {
# guess is correct
}
The variable $pass is the password string from the password file. crypt merely uses the first two characters from this string for the salt argument.

<snip>

Well, unfortunately this still isn't working. Maybe I don't fully understand how the crypt function works or something else. Here's the code I'm using. It prompts a user for their username and password, and if the username exists, it will say it does, then say if the password is valid or not. If the username doesn't exist, then it will say Invalid user.

Here's the Code:

#!/usr/local/bin/perl

use User::pwent;

print "Login Name: ";
chop($username = <STDIN>);
system "stty -echo";
print "Password: ";
chop($passwd = <STDIN>);
print "\n";
system "stty echo";

$userID = getpwnam($username);

if ( $userID ) {
print("Valid User\n");
$pwd = @$userID[2];
$salt = substr($pwd,0,2);

if ( crypt( $passwd, $salt ) ne $pwd ) {
print("Invalid Password\n");
} else {
print("Valid Password\n");
}
} else {
print("Invalid User\n");
}

Thanks for any help you guys can give me on this. And sorry for it being flush left, it doesn't seem to want to save the spaces I have in the code.

Let me suggest two things. Change @$userID[2] to $userID[2] if you're referencing an item in an array. Second, go ahead and just pass $userID[2] as the salt variable. The crypt command will take care of taking the first two characters needed for the salt value.

try...

$pwd = $userID[2];

if ( crypt( $passwd, $pwd ) ne $pwd ) {
print("Invalid Password\n");
}

Bob

Mullaney, thanks for the help. I finally figured it out after staring at the screen for like 2 hours. Stupid me forgot the encrypted password is stored in the second spot in the array returned to me, not the third, so I should have had:

$pwd = $userID[1];

instead of:

$pwd = $userID[2];

So now it works like a charm! Thanks for the assistance. Gotta hate the stupid things that make you wonder wtf is going on.

Okay, now hopefully someone knows a way to get through this next small but annoying situation I have now. I've successfully converted my command line version of this script into the web-based perl cgi that I wanted from the get go. My only problem is that I really don't want the variables from the form and their values being passed openly in the Location bar of the browser since it will hold the user's login name and password. I remember that in one language, I think it was Cold Fusion, that you could make the location bar remain free of the variables and their values. Is it possible to do that with this also or should I pursue another avenue? I currently have it so the user types in their username and password, clicks the 'Login' button and it sends the data to the perl script which will in turn redirect them based on a successful login or not. Any suggestions or ideas? Thanks.

Use cookies or (real) basic user authentication (that is, .htaccess-type auth).