Loading ...
Sorry, an error occurred while loading the content.
 

[PBML] Methods To Login Unix

Expand Messages
  • CN Liu
    Hello! I have seen Informix datatabase engine running in SCO being able to verify user s identity by matching userid/password entered by user upon entries in
    Message 1 of 4 , Jan 6, 2000
      Hello!

      I have seen Informix datatabase engine running in SCO being able to
      verify user's identity by matching userid/password entered by user upon
      entries in file /etc/passwd. I have also seen Cyrus IMAP mail server
      running in my Linux box verify the userid/password pair entered by user
      via Netscape Messenger (running in client PC's) by matching that pair
      against /etc/passwd and /etc/shadow.

      Now, this is what I would like to achieve:
      I have some HTML documents serviced by Apache httpd. Some of these
      documents are to be accessed only by the users who also appear in
      /etc/passwd. So, I will write a Perl script which first sends a HTML
      form prompting user's login id and password. Having received the
      userid/password pair entered by the user, in one way or another, the
      Perl script then matches this userid/password on /etc/passwd &
      /etc/shadow. If the matching succeeds, then those restricted HTML
      documents are sent to browser by Perl script.

      ** The Apache httpd is run as userid "nobody". It has no read privilege
      on /etc/shadow - neither does Cyrus IMAP mail server. I do not want to
      grant user "nobody" read access to /etc/shadow.
      ** I do not use any extra files like .htaccess other than /etc/passwd &
      /etc/shadow so that I can prevent from the trouble of syncronizing these
      files and /etc/passwd & /etc/shadow. Otherwise, my users will have to
      remember two or more "account/password" than just one which kept by OS -
      /etc/passwd & /etc/shadow.

      This is my ignorance/incapability and need your help:
      What mechanism or Perl functions/modules I can adopt as a means of
      verifing user identity by matching the userid/password entered by user
      against OS files, /etc/passwd & /etc/shadow, like this:

      if(VerifySucceed(param("IdFromBrowser"),param("PasswordFromBrowser"))) {
      print header;
      print start_html("Welcome");
      print("Welcome to restricted pages!");
      print end_html;
      }

      How do I code function VerifySucceed?

      Thank you in advance!
      --
      CN
    • Dan Boger
      On Fri, 07 Jan 2000 12:03:26 +0800 CN Liu wrote ... well, I can give you part of the solution - look at the crypt function: (snip from
      Message 2 of 4 , Jan 7, 2000
        On Fri, 07 Jan 2000 12:03:26 +0800 CN Liu <cn@...> wrote
        concerning '[PBML] Methods To Login Unix':
        > Now, this is what I would like to achieve:
        > I have some HTML documents serviced by Apache httpd. Some of these
        > documents are to be accessed only by the users who also appear in
        > /etc/passwd. So, I will write a Perl script which first sends a HTML
        > form prompting user's login id and password. Having received the
        > userid/password pair entered by the user, in one way or another, the
        > Perl script then matches this userid/password on /etc/passwd &
        > /etc/shadow. If the matching succeeds, then those restricted HTML
        > documents are sent to browser by Perl script.

        well, I can give you part of the solution - look at the crypt
        function:

        (snip from 'perldoc -f crypt`):

        $pwd = (getpwuid($<))[1];

        system "stty -echo";
        print "Password: ";
        chomp($word = <STDIN>);
        print "\n";
        system "stty echo";

        if (crypt($word, $pwd) ne $pwd) {
        die "Sorry...\n";
        } else {
        print "ok\n";
        }

        which works quite well. Even with shadow files, since the getpwuid
        call is privilaged, I guess? just be aware, the sending password
        unencrypted over HTTP is a very very bad thing (TM).

        Hope that gives you a lead,

        Dan

        Dan Boger - Georgetown Institute for Cognitive and Computational Sciences
        dan@... ICQ: 1130750
        Georgetown University Medical Center Washington, DC
      • CN Liu
        ... Hello! Dan, The direction you gave me is very very helpful to me. It is almost the exact solution I need. The last, I hope, bottleneck I have is that
        Message 3 of 4 , Jan 10, 2000
          >
          > well, I can give you part of the solution - look at the crypt
          > function:
          >
          > (snip from 'perldoc -f crypt`):
          >
          > $pwd = (getpwuid($<))[1];
          >
          > system "stty -echo";
          > print "Password: ";
          > chomp($word = <STDIN>);
          > print "\n";
          > system "stty echo";
          >
          > if (crypt($word, $pwd) ne $pwd) {
          > die "Sorry...\n";
          > } else {
          > print "ok\n";
          > }
          >
          > which works quite well. Even with shadow files, since the getpwuid
          > call is privilaged, I guess? just be aware, the sending password
          > unencrypted over HTTP is a very very bad thing (TM).
          >
          Hello! Dan,

          The direction you gave me is very very helpful to me. It is almost the
          exact solution I need. The last, I hope, bottleneck I have is that
          function getpwuid does not return the password field in /etc/shadow.
          Instead, it returns "x" from /etc/passwd:

          #!/usr/local/bin/perl
          $pwd = (getpwuid($<))[1];
          print "===",$pwd,"===\n";
          ($name,$passwd,$gid,$members) = getgr*
          print "===",$passwd,"===\n";
          $pwd = (getpwuid(0))[1];
          print "===",$pwd,"===\n";

          Its output is:

          ===x===
          ======
          ===x===

          Best Regards,

          CN
        • Dan Boger
          On Mon, 10 Jan 2000 17:08:47 +0800 CN Liu wrote ... sorry, my mistake - it was working for me cause of our yp server. To be able to
          Message 4 of 4 , Jan 10, 2000
            On Mon, 10 Jan 2000 17:08:47 +0800 CN Liu <cn@...> wrote
            concerning '[PBML] Re: Methods To Login Unix':
            > The direction you gave me is very very helpful to me. It is almost the
            > exact solution I need. The last, I hope, bottleneck I have is that
            > function getpwuid does not return the password field in /etc/shadow.
            > Instead, it returns "x" from /etc/passwd:
            >
            > #!/usr/local/bin/perl
            > $pwd = (getpwuid($<))[1];
            > print "===",$pwd,"===\n";
            > ($name,$passwd,$gid,$members) = getgr*
            > print "===",$passwd,"===\n";
            > $pwd = (getpwuid(0))[1];
            > print "===",$pwd,"===\n";
            >
            > Its output is:
            >
            > ===x===
            > ======
            > ===x===
            >

            sorry, my mistake - it was working for me cause of our yp server. To
            be able to read the shadow password, you have to run a privilaged
            process - that's the whole point of having shadow passwords. I don't
            know how you'd be able to authunticate as a non root in a shadow
            environment.

            Anyone else has ideas?

            Dan
          Your message has been successfully submitted and would be delivered to recipients shortly.