in reply to Testing A users's unix password with perl

Step 1: Get written authorization to do this.

See merlyn's unintentional object lesson at

  • Comment on Re: Testing A users's unix password with perl

Replies are listed 'Best First'.
Re: Re: Testing A users's unix password with perl
by cfreak (Chaplain) on May 08, 2002 at 19:15 UTC

    Since I know very little about that I'm not sure how it relates.

    If it makes you feel better this is what i'm doing: I'm a webmaster/system admin at a small ISP. This ISP wants users to beable to change their password through a secure web interface. I want to bypass system prompting. I figured out that I can use Net::SSH to connect to the correct systems as root and use echo to pipe the new password to passwd --stdin in one command. I know it might not be the best idea to login as root but I am using SSH with keys and its on our network (never goes outside) so I'm not too worried about it.

    What I need is a way to verify that the user is giving me a correct old password. I originally thought of using Net::Telnet but of course that's not nearly as secure and it loses the ability to use a single commmand to change the password (since I would not use root over telnet).

    I have authorization to do this, I've been asked to. I'm not worried about my employer suing me. Small companies don't have the money or time for such nonsense


    Some clever or funny quote here.

      You might be wasting your time as most password changes are the result of forgetting the password in the first place. Besides you want to hand out as little information as possible when it involves your security.

      As to permission, do you have it in writing? The company may not sue you but they can always fire you. And people will tend to believe a company over an ex-employee.

Re: Re: Testing A users's unix password with perl
by greenFox (Vicar) on May 08, 2002 at 22:31 UTC
    You don't need to "see" the password to verify if the user knows it. See my node below or crypt. I am not a lawyer but I believe this is very different to running crack on a system.

    my $chainsaw = 'Perl';