Hi Hugues,
> I was watching at a cmu.xml file when I seaw this sort of lines :
>
> <user id="username">
> ...
> <crypt_password value = "Ievk7MIbmw.8s"/>
> ...
> <md5_password value = "$1$bhwBNKCv$tTtMT.nb5/CGOo9IU5bo20"/>
> ...
> </user>
>
> How is generated the field crypt_password ?
> Where can I found the code (PHP ?) who authenticate a user ?
Check the RPMs that belong to "base-user" and "base-vsite" - they should give
you some pointers.
Basically authentication works like this:
The user enters his password. For security reasons the password is stored
encrypted - either with MD5 encryption or using the PHP function crypt().
Both cannot be decrypted with reasonable effort and are one-way encryptions.
Whenever the user is prompted for the password and enters it in clear text,
the application encrypts the freshly entered password the very same way as
the initial password. The result is compared with the stored encrypted
password. If the two match, the password was entered correctly. If it doesn't
match, the entered password was incorrect.
That eliminates the need to store the password in plain text.
Even the usuall /etc/passwd & /etc/shadow authentication works the same
fashion and the password is never stored unencrypted.
--
With best regards,
Michael Stauber