If you could use Net::SSH instead, it would be better. It would involve some more work though.

-Imran

Would appreciate your thoughts on this.

My first thought is that from your description you seem to be going to a lot of effort to accomplish a simple task. In fact, IMHO you are going abou this backwards.

First I'd come up with the list of authorized users. Secondly I'd leave the Unix passwords out of the equation and use another repository to store authentication tokens other than /etc/password and/or /etc/shadow. In fact, if your Unix system has implemented shadow files (and most these days do) then you shouldn't be able to access /etc/shadow from your web application. If you can then you are introducing other security issues that I believe are beyond the scope of this discussion.

If you want the userids and passwords to match the account ids and passwords issued for Unix accounts then I'd say import them into another repository from Unix and let your application access them from there. Keeping your list of authorized uers then becomes just an excercise of importing just the users you need and leaving out the rest.

What repository you ask? Investigate .htpassword files for one, LDAP is a good solution and so might be putting the account data in a relational database.

The major drawback to importing the Unix account information that I can think of (besides wire snooping and other evil things) is password synchronization becomes an issue. So does user administration from the perspective of adds/changes/deletes.

If you are lucky enough that your company has standardized on something like LDAP for user authentication then your application should be able to access account logins from there. In fact whoever your LDAP administrator is can set up an ACL and group tailored to the list of who is authorized to use your application relieving you of that burden.

Just my US$0.02 worth.. HTH...

In general, it is not a good security practice to send passwords unencrypted, even over your intranet. As has been mentioned, FTP is not encrypted. Of course, if you have not set up your web page with SSL, neither is your web session, so changing to SSH will not really solve the problem.

If your web server is Apache, you can use mod_auth_pam or mod_auth_shadow. More info would be needed about the web server and OS to get more specific ...

Depending on your UNIX flavor, you might have the Pluggable Authentication Module available. If you do, this is incredibly simple using Authen::SimplePam:

use Authen::SimplePam;
my $auth = Authen::SimplePam->new();

my $result = $auth->auth_user($username, $password, 'login');
if ( $result == 1 ) {
  print 'User logged in OK!'
}
else {
  print 'Login failed: ',$auth->result2string($result);
}
[download]

If you are doing this without the benefit of PAM, it could be trickier.

As for security issues, what you really want to do is not send things over clear text -- this means FTP is a poor choice. Try SSH or another secure protocol. Also, your approach of logging in once and then allowing access based on the result code is probably not the best. With something like PAM available, it would be best to actually authenticate each operation that needs privileges.

Unfortunately, that's all the more specific I can be with such a vague question.

Thanks for the suggestion.

I was able to install PAM module and the authentication worked fine except that I also got a message

Subroutine PAM_BINARY_PROMPT redefined at ~/perllib/Authen/SimplePam.pm : line 56

Sorry that I was not clear in the initial post. I intend to have every page and operation validated by calling this function before doing anything.

Thanks again for your help