(From a novice's point of view)
The other day I was thinking about how a typical "passwd" command works in a LINUX OS. For example, when we type in "passwd", a prompt appears letting us type in our password, and then it saves that password wrapping up with cryptographic algorithms and then saves in /etc/shadow. So I came with a "Password/login emulation" of my own. Initially it saves the username along with their password in a file named mango.txt in the form of "username::password", and next time the same user tries to log in, it asks for the username and password. So I came up with these two scripts.
Script 1: Prompts for a user-name and a password and saves it in a file a called mango.txt.
# Title: username.sh
#!/bin/bash
# What I'm planning to do here is that,
#create a username script which allows a
#user to add themselves by puting in
#their
#names
# and their password at the time of
#login, it will save itself to a file
#with
#the username and password.
# If username already exists, tells the
#user that a user with the same name
#exits, else add the new user.
# along with a password. The password is
# saved in a md5 hash form.
exec 2>/dev/null
touch mango.txt
echo -n "Enter username: "
read usame
if [ "$usame" == "" ]; then echo -e "Username can not be blank\n"
./username.sh
else
grep -q $usame mango.txt
if [ "$?" == 0 ]; then
echo -e "A username with the same name already exists\n"
./username.sh
else
echo -n "Password: "
read -s -p "Password: " passwd
while true; do
if [ "$passwd" == "" ]; then echo -e "Password can not be blank\n"
else
echo $usame::$(echo $passwd | md5sum) >> mango.txt
echo -e "\nUser $usame added\n"
break
fi
done
fi
fi
Script 2: If this could be added in "bash.bashrc", then it would run at each terminal startup, and ask for the username and password. If username and password chinkies with that in mango.txt, then it lets the user login, else terminal exits (; Plain passwords are compared in like md5sum form with the mango.txt file passwords.
#Title: login.sh
# A simple login bash script
#trap interrupts your keyboard if you
#press ctrl+z or ctrl+c
trap '' INT TSTP
read -p "Enter username: " usname
grep -q $usname mango.txt
if [ "$?" -gt 0 ]; then
echo "Username not found"
sleep 1
pkill -9 bash #That's a bit too much I guess, but oh well
else
read -s -p "Password: " password
if [ "$password" == "" ]; then
echo "Password can not be blank"
./login.sh
else
#saves the password in md5sum format in tmp.txt
echo $password | md5sum > tmp.txt
tmp="$(cat tmp.txt)"
#if the md5 hashes match, then allow login saying yo
cat mango.txt | grep -q $usname::$tmp
if [ "$?" == 0 ]; then
echo -e "\nyo"
#else print login failed
else echo -e "\nLogin failed"
sleep 1
pkill -9 bash
fi
fi
fi
rm tmp.txt
# Deletes the tmp file afterwards
I'm pretty sure it's nowhere near how that exactly works in a LINUX system(not to mention the cryptographies like ccrypt and scrypt and different salting mechanisms), but it's as best as I could come up with..perhaps a little nudge to the right direction as to how that actually works would be great from the experts. (:
The encryption mechanism is what I'm super curious about.
Best Answer
You would use a slow, salted, secure hash function: key derivation function.
We use a hash function so that the password is hidden, no one can read it, not even the admin. Hashes can not be reversed. When the user logs in we hash there password-input, and compare with the stored hash.
Salting is to add a large random string to the password, before hashing. We have to store the salt with the hash. We do that to slow-down dictionary attacks. A dictionary attack is to hash a dictionary of known-common-passwords, and look for matches. Now the attacker needs to create a dictionary for each user (as they all have a unique salt).
We use a slow hash, to farther slow the dictionary attack. At the expense of compute time, each time a user logs in.
Your can read more at
For what is used on some Gnu/Linux systems, see this related question
Editing
/etc/shadow-- don't do it.