The reason that you don't want to do this is that if some cracker finds a workaround for any security obstacles put in his way (which he will), it means a total breach of security. You don't want that.
If you do go through with it (which you shouldn't), encrypt the passwords and implement other security mechanisms (like emailing the user for authentication). IIRC, the Expect module would be of use for interfacing with passwd (or any other program that involves multi-step user input...within reason).
redmist
Silicon Cowboy
Manipulating the Cosmic Mixing Board of Slack since 1981. | [reply] |
| [reply] |
| [reply] |
If your system is using PAM for its authentication, check out the Authen::PAM module, which includes code for changing the current user's password in its documentation. This is a very, very dangerous thing to be doing with CGI, though (as has been mentioned).
In addition, if you're prepared to run your CGI as root (or, better, if you're farming off the 'change' to another script that runs as root), which is a whole other can of worms, you might be able to make use of Unix::PasswdFile or Passwd::Linux. | [reply] |
I'm currently working on a project to do something very similar - allow users to change their email passwords on our custom software. I'm using this code as the way of separating the more easily hackable CGI from the password-changing-server running as root. Plus it runs securely between separate machines. I think I would prefer Bluetooth(sp?) but I can't find a module for it yet.
In your particular case the users should just be logging in to change their passwords, since they already have shell accounts.
____________________
Jeremy
I didn't believe in evil until I dated it. | [reply] |