in reply to Re: Using Unix passwd/shadow to authenticate in perl
in thread Using Unix passwd/shadow to authenticate in perl

Thanks for the tip. I knew there was something called "PAM" that I needed to look for, but my initial searches yielded nothing, so I assumed I must have been starting with bad info. Thanks for the link.
  • Comment on Re: Re: Using Unix passwd/shadow to authenticate in perl

Replies are listed 'Best First'.
Re: Re: Re: Using Unix passwd/shadow to authenticate in perl
by iburrell (Chaplain) on Sep 26, 2003 at 20:06 UTC
    Authen::PAM won't help with shadow passwords. Root is the only user that can read /etc/shadow, so root is the only user that can verify password.

    The advantage of using PAM is that it handles all the mechanisms for authenticating users. It takes care of the encryption algorithms: crypt, MD5, etc. It also will handle users authenticated through LDAP, Samba, NIS, or something else.

[reply]

      You can actually use pam to uthenticate as a normal user. You never get to see the encrypted password, but the pam lib tells you whether the password you are giving is right or not. Here is a quick example (cut & paste from the Authen::PAM perldocs): 

      #!/usr/bin/perl -w

use strict;

use Authen::PAM;

my $login_name = getpwuid($<);

sub conversation {
    my @res;
    while ( @_ ) {
    my $msg_type = shift;
    my $msg = shift;
    
    my $ans = "put your password here";
    push @res, (0,$ans);
    }
    push @res, PAM_SUCCESS();
    return @res;
}


my $pamh;
pam_start("passwd", $login_name, \&conversation, $pamh);
print pam_authenticate($pamh);
pam_end($pamh);

      [download]
      The outcome changes depending on whether the password is correct.

      Cheers

      Antonio

      The stupider the astronaut, the easier it is to win the trip to Vega - A. Tucket
[reply]
[d/l]
      OK, I'm confused. So if I use the AUTHEN::PAM module, I will or won't be able to authenticate users from a CGI script based on their UNIX account/password pairs? I don't actually care about direct access to the shadow file, as long as I can make those authentications...
[reply]

        Yes you can. Try with the following, which is a cleaned-up version of my previous post: 

        #!/usr/bin/perl -w

#------------------------------------------------------------
# Usage: pwdcheck login password
#------------------------------------------------------------

use strict;
use Authen::PAM;

#----------------------------------------
# isValid ( user, pass ))
# check whether the user/pass combo is valid
#----------------------------------------
sub isValid {
    my ( $login, $pass ) = @_;
    my $pamh;
    pam_start( "passwd", $login,
           sub { ( ( 0, $pass ) x (@_/2), PAM_SUCCESS() ) },
           $pamh );
    my $res = pam_authenticate($pamh) == PAM_SUCCESS();
    pam_end($pamh);
    return $res;
}

my ( $login, $pass ) = @ARGV;
print isValid ( $login, $pass );

        [download]
        As you can see, by invoking it as unprivileged user as script username password it prints 1 if the login/pass combo is a valid (unix) one, while it waits a couple of seconds and exits silently otherwise. You can use the isValid function in your cgi script without needing root privileges.

        Cheers

        Antonio


        The stupider the astronaut, the easier it is to win the trip to Vega - A. Tucket
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom