Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Testing A users's unix password with perl

by cfreak (Chaplain)
on May 08, 2002 at 18:54 UTC ( #165133=perlquestion: print w/replies, xml ) Need Help??
cfreak has asked for the wisdom of the Perl Monks concerning the following question:

I need to check user's passwords on a unix system but not login as the user I did some searching and came across this node. From there I looked at the reply involving Authen::PAM Unfortunatly I'm no closer to solving my problem.

Looking at the Authen::PAM module documentation I couldn't seem to figure out a way to simply verify users without trying to login as them. Has anyone done this? Please help.

Chris


Some clever or funny quote here.
  • Comment on Testing A users's unix password with perl

Replies are listed 'Best First'.
Re: Testing A users's unix password with perl
by mrbbking (Hermit) on May 08, 2002 at 19:04 UTC

      Since I know very little about that I'm not sure how it relates.

      If it makes you feel better this is what i'm doing: I'm a webmaster/system admin at a small ISP. This ISP wants users to beable to change their password through a secure web interface. I want to bypass system prompting. I figured out that I can use Net::SSH to connect to the correct systems as root and use echo to pipe the new password to passwd --stdin in one command. I know it might not be the best idea to login as root but I am using SSH with keys and its on our network (never goes outside) so I'm not too worried about it.

      What I need is a way to verify that the user is giving me a correct old password. I originally thought of using Net::Telnet but of course that's not nearly as secure and it loses the ability to use a single commmand to change the password (since I would not use root over telnet).

      I have authorization to do this, I've been asked to. I'm not worried about my employer suing me. Small companies don't have the money or time for such nonsense

      Chris

      Some clever or funny quote here.

        You might be wasting your time as most password changes are the result of forgetting the password in the first place. Besides you want to hand out as little information as possible when it involves your security.

        As to permission, do you have it in writing? The company may not sue you but they can always fire you. And people will tend to believe a company over an ex-employee.

      You don't need to "see" the password to verify if the user knows it. See my node below or crypt. I am not a lawyer but I believe this is very different to running crack on a system.

      --
      my $chainsaw = 'Perl';

Re: Testing A users's unix password with perl
by yodabjorn (Monk) on May 08, 2002 at 21:09 UTC
    U should look into these 2 modules (assuming you have aces to read the shadow or passwd files).

    this one is nice for parsing paswd and checking if there is users:
    Unix::PasswdFile
    and for manipulating the shadow
    Unix::ShadowFile

    I have used these 2 modules quite a lot. work well for me.

      Thanks. The Shadow file is what i need (I do have access to it) however I can't seem to find it on CPAN. Know where I can get it?

      Chris

      Some clever or funny quote here.
        Odd. I got it of cpan.. guess was a while ago

        I know it was abstracted heavily from Unix::ConfigFile That may have smothing for you..

        Looks like the Unix::PasswdFile might handle the shadow as well..
        also CfgTie::TieShadow looks like it could make it easier.

        as well the author is of Unix::ShadowFile is: Steve Snodgrass, ssnodgra-AT-fore.com
        you can try him. if all else fails email me and i will send you the .pm i got
Re: Testing A users's unix password with perl
by greenFox (Vicar) on May 08, 2002 at 21:53 UTC

    See perlfunc:crypt which has sample code to do exactly what you want. I have used it and it does work.

    I would recommend you look into ssh forced commands if you are going to litter (pass-phrase less) keys to roots account around the place (or keys with the pass-phrase embedded in the script). At least that way if someone Ownz the box with the key they can only run the command you allow, although being able to reset passwords is bad enough! Make sure the forced command can only reset the password for allowed accounts- allow by uid range for example. Turn taint mode on for your forced command as well (-wT). Definately do NOT allow roots password to be reset this way! :)

    I have used perl with open2 /open3 to the system ssh to send data across the network, open2/3 allows you to talk to stdin/stdout at the same time and passed parameters aren't visible from a local ps. Works well and you don't have to keep two versions of ssh (system & perls) up to date with security fixes.

    I still think it is a bad idea though, it sounds like what you really need is NIS or LDAP. Your script then only needs admin privilege to NIS/LDAP and not to root.

    Hope this helps

    --
    my $chainsaw = 'Perl';

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://165133]
Approved by ignatz
help
Chatterbox?
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (6)
As of 2018-02-24 21:27 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    When it is dark outside I am happiest to see ...














    Results (311 votes). Check out past polls.

    Notices?