[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

User authentication program



I'm trying to write a web page to allow users to a system to change their password, and I'm having some issues. I've looked all over the place for information, and the best place to come seems to be here. Apologies if members of this list disagree.

I know there are security issues for web pages, and I'm thinking of actually logging the password change request and having a root-owned daemon actually make the change, so the web server isn't actually doing anything secure. But that leads to other issues.

Basically, the web page needs to authenticate the user.

I've done user authentication before, getpwnam, but never in this PAM world. And I could use getspname, but then the program would have to be setuid, and I still have the problem where I used MD5 passwords, and can't figure out how to encrypt an entered password to compare it with the MD5 password.

So I guess I have two questions. One, what is the equivalent of "crypt(5)" for MD5 passwords?

And two, how should I be writing the program I need? Should it be a PAM application? How do I use use_first_pass and get "first_pass" into the PAM chain from the program itself?

I'm not doing this, but I thought about it: I've used Apache's access control to ask for username and password to allow access to a page. How would I write an auth_handler for use on a box with shadowed MD5 passwords? Is pam the only way, or is there an MD5 crypt (basically the same problem: how do I authenticate a user with a password gotten from something other than a console app that pam calls?)

Is my confusion understandable? Like I said, I've read all the web pages and FAQ's and am just coming up short. I looked at wu-ftpd's code and they seem to have gone through hoops to use pam, but the way they use it seems to be what I need. Should I do that?

Thanks for any help...

Kevin




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []