On Wed, February 2, 2005 12:32, Tim Alberts said: > I'm running apache on a FC3 linux box. I'm trying to make user password > control more available. I know the passwd command to change user > passwords. My question is, if a user enters a password and they forget > it, how can they get the password back out of the system without just > re-entering a new one? > > Specifically, I'm using Linux-PAM with shadow passwords. I don't want > to give users root access. I'm really trying to create a cgi/bash > script that a user can enter their email address and it will email them > there password. Seems like a simple thing to do, but I haven't seen a > command to retreive a current user password from Linux-PAM/shadow > passwords. I could use a MySQL database to keep track of this stuff, > but I prefer to use the security that Linux already provides. Plus, > then I've got plain text passwords in a database or even if I encrypted > them in the database, I have the passwords in two places and then > there's the risk of them getting out of sink (however small a risk). > <SNIP> You can't recover the passwords from the passwd/shadow files. It's a one-way encryption scheme - you supply a password at login and the system encrypts it and compares the results with what is in the passwd/shadow file. It it matches, you're in. Brute force password crackers just keep trying strings from a dictionary hoping for a match. I've worked in UNIX/Linux for ~ 20 years and never heard of anyone actually decrypting a password string. You could set up a front-end that saves the pw in a db and then changes it, but if a user bypasses it (using the passwd command) you'd no longer have their current password in the db..... Dave Gavin
