How auth the md5 password using pam (QiuChu)

Martin inkubus at interalpha.co.uk
Sat Nov 24 00:28:48 UTC 2007 

<snip>
> What I mean is that " PHP application send the password to the C CGI
> program which performs the authentication using PAM".
> 
> but what is it the different with the "does the user send the password
> to the C CGI program which performs the integration using PAM"?
> 
> I think your method do make sense that  I will use SSL to send the
> password to a CGI program ,and then the CGI program performs the
> authentication using PAM.
IMHO this is still *way* too complex.  When I fed "PHP PAM" into google,
I got this:

http://pecl.php.net/package/PAM

Beyond that; do you need PAM at all?  The only sensible use of PAM from
a PHP script I can think of is if the users need, have and use standard
log in accounts on the machine and you want to share the usernames and
passwords.  If they don't have accounts then why not use a database as
is the more normal method of doing account management / authorisation in
web applications.

> But it happens at the user login. After login, I need save the
> username and password in the PHP session,
IIRC if you've set up things to require authenication at the HTTP layer,
the username and password are cached in the brower and presented on each
subsequent request.  Given HTTP is (supposed to be) stateless I can't
see how else it would do this.

But how you do this is entirelly OT for this list.

> and for security ,
For security I think you should avoid saving the password in the PHP app
if at all possible.  PAM goes to a lot of trouble to try to make sure
passwords don't leak out.  You don't want to have to repeat this work.

>   I think I should save the hashed password with MD5 which can be sent
> back by CGI program.
> 
> When user performs some operations on the PHP application , for
> security, I need to send the username and password to  CGI program
> which will auth it again, and then 
> do some operations, but at  this time  the password I sent is MD5
> password , so i need C CGI program auth the MD5 password.
This won't work for the following reasons:

1. The PAM interface takes a plain text password.  MD5 is a hash and
thus is one way; that the point.  So even if you keep the MD5 hash of
the password around, you won't be able to recover the text of the
password; nor will you be able to use it to authenticate the user.

2. pam_unix with md5 passwords enabled doesn't store the MD5 sum of the
password, it stores a complex hash of the password that _includes_
multiple MD5 sum computations.  You don't want to have to re-implement
this.

HTH

Cheers,
 - Martin

More information about the Pam-list mailing list