Re: Using Unix passwd/shadow to authenticate in perl

Hi
If your running RH72 you probably also have FTP installed and running. If you do, then you can use FTP to check your passwords for you. If you don't have ftp running, you can configure it to only accept connections from localhost (for security), but for most internal stuff, this should work fine.

#!/usr/bin/perl

$U="ronzo";
$P=q/"[test]"/;

print "P=$P  \n";
$P=~s/\\/\\\\\\\\/g;    # escape the \ for shell
$P=~s/"/\\"/g;          # escape the " for shell
$P=~s/'/\\'/g;          # escape the ' for shell
$P=~s/`/\\`/g;          # escape the ` for shell
$P=~s/!/\\!/g;          # escape the ! for shell

print "P=", $P,   " \n";

#run  ftp command with ``
my $a=`(ftp -n -v - <<EOF
open  localhost
user $U $P
bye
EOF
) 2>&1`;

# a good connect will return a 230 User X Logged In
if ($a =~ /230 /) {
     print "Password Good  \n";
} else {
     print "Password BAD  \n";
}
[download]

It's not the best, but I tested it and it works, even with the funny character passwords. Just gotta get all the shell characters escaped if you run into any bad passwords that can't verify properly. Since I grew up on shell scripting I still rely on it for solutions.

On the FTP, -n does not auto login
-v for verbose, so it returns the 230 message.
- just the minus, for using STDIN for FTP commands
At the end of the FTP is the 2>&1, this just redirects STDERR back to STDOUT, this way $a has all the output.

I've used this method in the past, and you don't have to deal with having read access to /etc/shadow or special permissions to run other programs that can read the shadow file. The Apache user can do this just fine.

ronzo

Comment on Re: Using Unix passwd/shadow to authenticate in perl Select or Download Code

Replies are listed 'Best First'.
Re: Using Unix passwd/shadow to authenticate in perl by Abigail-II (Bishop) on Sep 26, 2003 at 09:02 UTC
I've used this method in the past, and you don't have to deal with having read access to /etc/shadow or special permissions to run other programs that can read the shadow file. Well, you do run another program with special permissions, and it's called 'ftpd'. Not something I recommend to solve this problem. The Apache user can do this just fine. On a properly configured system, there's only one user that can read /etc/shadow, and that's UID 0, aka root. Unless you change the permissions of /etc/shadow, or give the apache user UID 0 (neither of those action is smart), it ain't going to work. Abigail	[reply]
Re: Re: Using Unix passwd/shadow to authenticate in perl by ronzomckelvey (Acolyte) on Sep 26, 2003 at 17:20 UTC
I don't think you you quite understand what I suggested. If you already have FTP enabled (and on 7.2 thats default) why not use it for authenication. Well, you do run another program with special permissions, and it's called 'ftpd'. Not something I recommend to solve this problem. So we should all turn off FTP on our servers? Your not running ftpd with some special permissions, your actually attempting to login to ftp localhost. I'm not saying this is the best method, but it is a perfectly acceptable solution for the Linux world where scripts and other programs are the building blocks for you to use. ronzo	[reply]
Re: Re: Re: Using Unix passwd/shadow to authenticate in perl by bennomatic (Initiate) on Sep 26, 2003 at 21:48 UTC
I don't think you you quite understand what I suggested. If you already have FTP enabled (and on 7.2 thats default) why not use it for authenication. Actually, I've turned off the default (wu-ftpd) FTP daemon because it had some security holes that caused me to get hax0rd by some script kiddies some time ago. I replaced it with VSFTPd which, by all accounts, is supposed to be as bullet-proof as people's passwords. Yeah, that's still a weak point, but it's better than letting anyone with a pre-configured hax0r script break in without even thinking about it. But since I am running an ftpd, I may as well use it!	[reply]
Re: Using Unix passwd/shadow to authenticate in perl by Abigail-II (Bishop) on Sep 26, 2003 at 17:29 UTC
So we should all turn off FTP on our servers? Yes! Any smart sysadmin will turn of FTP services, especially non-anonymous FTP services. Your not running ftpd with some special permissions, your actually attempting to login to ftp localhost. To be able to do that, you got to have something running on the FTP port. That something, which is often called ftpd, has got to read /etc/system. To be able to do so, that something needs special (UID = 0) permissions. Abigail	[reply]
Re: Re: Using Unix passwd/shadow to authenticate in perl by DrHyde (Prior) on Sep 26, 2003 at 09:14 UTC
Apache is generally started as root (it needs to be root to bind to a low port, port 80) and changes its effective UID at the earliest opportunity.	[reply]
Re: Using Unix passwd/shadow to authenticate in perl by Abigail-II (Bishop) on Sep 26, 2003 at 09:49 UTC
I know that. But he didn't say "apache", he said "the apache user". When Apache is running as root, it can open /etc/shadow. But then it's running a root, not as "the apache user". Abigail	[reply]
Re: Re: Using Unix passwd/shadow to authenticate in perl by bennomatic (Initiate) on Sep 26, 2003 at 16:56 UTC
Good info. I guess that reconfiguring suexec so that it can act as user 0 would open up too many potential doors, wouldn't it?	[reply]
Re: Re: Using Unix passwd/shadow to authenticate in perl by bennomatic (Initiate) on Sep 26, 2003 at 16:55 UTC
Excellent. I actually started to try this method when I couldn't find "PAM", but I thought I wouldn't want to re-invent the wheel if there was a more elegant solution. If the authen::pam stuff doesn't work out, I'm using your code!!	[reply]