I need to add the "old password" field under system > administration tab. In the administration tab, we have the fields to change the old password and change it to the new one.
So before changing to the old password, I need to add one field of the old password. So that no-one can change the password without knowing the old one.
How can I add that old password field and also validation on that if someone put the wrong password then it should show the popup message that "Old password is wrong. Can't change new password".
Thanks for your reply.
Yes, I am talking about the Router password. If someone is changing the router password then firstly we need to give the old password after that new password.
So there is no way to check the old password?
I do not mean to be rude, but after reading this and your other threads, I am increasingly getting the feeling that you ask others in this forum to do "your homework" for free...
It looks as if you've been tasked with modifying OpenWrt for some product / project / whatever and are now looking for help to do so.
Seeking help is fine and totally appropriate for this forum, but the lack of lower level details, specific source code related questions, lack of any diffs or snippets of your own source code attempts makes it look as if you really don't know what you're doing and merely rely on complete copy-paste ready solutions provided by others.
To go back to your orignal question - did you familarize yourself with the format of /etc/shadow, the related getspnam(3) / getpwnam(3) library functions and the use of crypt(3) to calculate password hashes from plaintext inputs to compare them with records from /etc/shadow?
Bindings to the libc library functions are provided by the LuCI nixio library which are also utilized by the login authentication code to check the root password correctness. There also is a high level luci.sys.user.checkpasswd(user, pass) function available which you can use to test a given user / plaintext password combination for correctness.
You need to add a call to the checkpasswd() function to the form model of the system administration page /usr/lib/lua/luci/model/cbi/admin_system/admin.lua, next to the place where the existing password equality check is performed.
It is impossible to change the password unless someone logs in (the web GUI that is, although you can also lock down the console using the ttylogin 1); so I do not understand what you are trying to solve.
No, as the password is saved under normal Linux conditions - hashed for security purposes. Actually, it's done this way to prevent exactly what you're suggesting.