Linux Passwords

[Jasonh100]

I want to offer a web service to which users can log onto using their existing linux system accounts. Assuming you could do this, what type of security risks would it pose. If the risks aren't extensive, how would it be possible. Anything I've come up with is sketchy at best.

-jason

 

[Jasonh100]

btw, I'm using perl....

 

[Nothinman]

'log in' is a little vague.

 

[n0cmonkey]

Details!

 

[Jasonh100]

I want them to be able to type in theri unix system username and password on a web based form. I want that information to be sent to a perl script. I want the perl script to know whether or not the credentials are correct.

-jason

 

[Nothinman]

Well the security would be determined by the scripts on the web server mostly, you could use the perl PAM libararies to to the authentication.

 

[Haden]

Consider using SSL (apache-ssl), all web forms data can be sniffed very easy...

 

[Jasonh100]

so when I look up how to use the PAM librariers it will be obvious how to use it based on the documentation? Also, yes, I will be using SSL

 

[Nothinman]

Depends on your experience with Perl and PAM, shouldn't be too difficult though.

 

[alocurto]

basically the question is how do you send information from a web form securely. See SSH like mentioned above.

 

[Jasonh100]

thanks for your help... I will easily be able to do it now that I know that there is a PAM library...... It shouldn't be a problem to do SSL either. Thanks

-jason

 

[Jasonh100]

One last question:

I got authen pam installed and I made a script that authenticates a username and password without any input from the user..... The only problem is that It only works when I'm logged in as root. Does that have anything to do with /etc/shadow? If it does, what is the best way to fix that? chrowngroup /etc/shadow to something and set the group that apache runs under to the same thing?

thanks!

 

[Nothinman]

root authenticating as another user always works, he's allowed to become anyone he wants.

PAM eliminates the need for the application to be able to read /etc/shadow or /etc/passwd, infact PAM abstracts everything so that you don't even need those files, for instance you could have a PAM module that authenticates against entries in a SQL database.

 

[Jasonh100]

the perl script that I made fails with the wrong password but works with the correct password.

Can you give me an example of how you would use it?

 

[Jasonh100]

I can't find much information on this topic at all, but here is one thing I have found....

> I just joined the list, so be gentle ;^)


> I'm trying to get a web-based application to authenticate using PAM
> (via perl's Authen:AM module).


> My test scripts work fine, as long as I'm authenticating the same
> user that the scripts are running under. When I plug my stuff into a
> cgi script however (apache web server running as user 'nobody' on
> Linux, with PAM 0.75), authentication fails.


> Reading through this thread:


> http://archives.neohapsis.com/archives/pam-list/2001-02/0100.html


> I realize that the /sbin/unix_chkpwd script is likely disallowing
> lookups for uids not matching the effective uid of the requesting
> process.


> The thread suggests cobbling together a version of unix_chkpwd that
> allows this type of lookup for the web server user. I'm not certain
> that my typical customer will want to accept (nor, be able to
> correctly compile it, for that matter...) this as a solution.


> So, anyone have a generic solution that solves this? Or should I
> just hack up a version of unix_chkpwd and try to include as detailed
> building instructions as possible?


When deciding what processes to allow access to /etc/shadow, you have to
make some choices between security and convenience. You basically have
two options. You can create a unix_chkpwd helper that implements
different sanity checks on the incoming requests, to meet your clients'
needs; or, if you don't feel that you can implement this in a way that
will be easy enough for your clients to get a handle on, you can advise
them to change the file permissions on /etc/shadow to grant the
webserver user direct read access to the file.


Steve Langasek
postmodern programmer

What I'm wondering is how does aps such as usermin work but then I realize that it is probably because when I was testing it I started the minisrv.pl when I was logged in as root. Nothinman, you can you help me out with specifics of why you think pam should work without changing /etc/shadow

 

[Jasonh100]

for those interested, here is how I solved the problem......

I edited the source of unix_chkpwd to allow apache (the user I run my web server under) to lookup the passwords for other users besides itself.

 

[Nothinman]

That seems like overkill, but having not used Authen:AM extenstively I can't say whether it was necessary or not, sorry.