SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    Feb 2001
    Location
    The Netherlands
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm a new user of PHP and MySQL, already making progress in a very short time and astonished at how totally cool it all is. As always when I learn new stuff I'm jumping in to the deep end--or at least it seems like the deep end to me.

    Basically what I want to do is allow people who have the right to log onto the unix machine to be able to logon to my website with thier unix usernames and passwords and then change their passwords on the site. I'm seeing tutorials etc on authentication/tracking, well and good, but it's usually with a database, cookies, flat files, .htpasswd files etc. These I can manage.

    What I would like is some advice on how to do that. How do you use PHP to log onto a UNIX system and change the password via a database? What should I look for? Where do I start? I'm not at all averse to figuring out how to tie things together myself, but it would be nice to hear what to do and what not to do from experienced folks who've done it--things to watch out for etc...

    Thanks

  2. #2
    SitePoint Evangelist
    Join Date
    May 2000
    Location
    Canada
    Posts
    533
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thats quite a complicated setup

    you want to make your own authentication layer which modifies /etc/passwd and /etc/shadow on the fly

    not something i'd recommend, as you'd have locking issues with the passwd binary which generally modifies those files..
    cogito, ergo sum

  3. #3
    SitePoint Columnist Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Horribly bad idea I think - if something goes wrong you could end up with your unix box password file open to the next hacker to come along...

    Quick quote from the Apache manual:
    Can I use my /etc/passwd file for Web page authentication?

    Yes, you can - but it's a very bad idea. Here are some of the reasons:
    • The Web technology provides no governors on how often or how rapidly password (authentication failure) retries can be made. That means that someone can hammer away at your system's root password using the Web, using a dictionary or similar mass attack, just as fast as the wire and your server can handle the requests. Most operating systems these days include attack detection (such as n failed passwords for the same account within m seconds) and evasion (breaking the connection, disabling the account under attack, disabling all logins from that source, et cetera), but the Web does not.
    • An account under attack isn't notified (unless the server is heavily modified); there's no "You have 19483 login failures" message when the legitimate owner logs in.
      Without an exhaustive and error-prone examination of the server logs, you can't tell whether an account has been compromised. Detecting that an attack has occurred, or is in progress, is fairly obvious, though - if you look at the logs.
    • Web authentication passwords (at least for Basic authentication) generally fly across the wire, and through intermediate proxy systems, in what amounts to plain text. "O'er the net we go/Caching all the way;/O what fun it is to surf/Giving my password away!"
    • Since HTTP is stateless, information about the authentication is transmitted each and every time a request is made to the server. Essentially, the client caches it after the first successful access, and transmits it without asking for all subsequent requests to the same server.
    • It's relatively trivial for someone on your system to put up a page that will steal the cached password from a client's cache without them knowing. Can you say "password grabber"?
    If you still want to do this in light of the above disadvantages, the method is left as an exercise for the reader. It'll void your Apache warranty, though, and you'll lose all accumulated UNIX guru points.
    Check this out for more information: Apache FAQ section on Authentication

  4. #4
    AdSpeed.com Son Nguyen's Avatar
    Join Date
    Aug 2000
    Location
    Silicon Valley
    Posts
    2,241
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The quote is very interesting, esp. with the song "O'er the net we go/Caching all the way;/O what fun it is to surf/Giving my password away!"


    Thanks Skunk
    - Son Nguyen
    AdSpeed.com - Ad Serving and Ad Management Made Easy

  5. #5
    SitePoint Member
    Join Date
    Feb 2001
    Location
    The Netherlands
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay, so what I'm trying to do is not only - in general 'not done' but it's also considered
    foolish...hmmmm What about using a PAM module that will allow authentication via mysql
    database. Maybe using a cron job? Wouldn't that be safer?

    But where would I start?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •