in reply to Re: Re: Using Unix passwd/shadow to authenticate in perl
in thread Using Unix passwd/shadow to authenticate in perl

Authen::PAM won't help with shadow passwords. Root is the only user that can read /etc/shadow, so root is the only user that can verify password.

The advantage of using PAM is that it handles all the mechanisms for authenticating users. It takes care of the encryption algorithms: crypt, MD5, etc. It also will handle users authenticated through LDAP, Samba, NIS, or something else.

  • Comment on Re: Re: Re: Using Unix passwd/shadow to authenticate in perl

Replies are listed 'Best First'.
Re: Re: Re: Re: Using Unix passwd/shadow to authenticate in perl
by abell (Chaplain) on Sep 26, 2003 at 20:29 UTC

    You can actually use pam to uthenticate as a normal user. You never get to see the encrypted password, but the pam lib tells you whether the password you are giving is right or not. Here is a quick example (cut & paste from the Authen::PAM perldocs): 

    #!/usr/bin/perl -w

use strict;

use Authen::PAM;

my $login_name = getpwuid($<);

sub conversation {
    my @res;
    while ( @_ ) {
    my $msg_type = shift;
    my $msg = shift;
    
    my $ans = "put your password here";
    push @res, (0,$ans);
    }
    push @res, PAM_SUCCESS();
    return @res;
}


my $pamh;
pam_start("passwd", $login_name, \&conversation, $pamh);
print pam_authenticate($pamh);
pam_end($pamh);

    [download]
    The outcome changes depending on whether the password is correct.

    Cheers

    Antonio

    The stupider the astronaut, the easier it is to win the trip to Vega - A. Tucket
[reply]
[d/l]
Re: Re: Re: Re: Using Unix passwd/shadow to authenticate in perl
by bennomatic (Initiate) on Sep 26, 2003 at 21:51 UTC
    OK, I'm confused. So if I use the AUTHEN::PAM module, I will or won't be able to authenticate users from a CGI script based on their UNIX account/password pairs? I don't actually care about direct access to the shadow file, as long as I can make those authentications...
[reply]

      Yes you can. Try with the following, which is a cleaned-up version of my previous post: 

      #!/usr/bin/perl -w

#------------------------------------------------------------
# Usage: pwdcheck login password
#------------------------------------------------------------

use strict;
use Authen::PAM;

#----------------------------------------
# isValid ( user, pass ))
# check whether the user/pass combo is valid
#----------------------------------------
sub isValid {
    my ( $login, $pass ) = @_;
    my $pamh;
    pam_start( "passwd", $login,
           sub { ( ( 0, $pass ) x (@_/2), PAM_SUCCESS() ) },
           $pamh );
    my $res = pam_authenticate($pamh) == PAM_SUCCESS();
    pam_end($pamh);
    return $res;
}

my ( $login, $pass ) = @ARGV;
print isValid ( $login, $pass );

      [download]
      As you can see, by invoking it as unprivileged user as script username password it prints 1 if the login/pass combo is a valid (unix) one, while it waits a couple of seconds and exits silently otherwise. You can use the isValid function in your cgi script without needing root privileges.

      Cheers

      Antonio


      The stupider the astronaut, the easier it is to win the trip to Vega - A. Tucket
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom