Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I am planning to use the below the Authen PAM script(Example from the CPAN site http://nik.pelov.name/files/Authen/PAM/FAQ.html#2__can_i_change_a_password_non_interactively) from mod_perl
Will the username,password we supply can be monitored on the server using ps -ef command? 

use Authen::PAM;
$service = "passwd";
$username = "foo";
$oldpassword = "old_pass";
$newpassword = "new_pass"; sub my_conv_func {
my @res;
while ( @_ ) {
my $code = shift;
my $msg = shift;
my $ans = ""; $ans = $username if ($code == PAM_PROMPT_ECHO_ON() );
if ($code == PAM_PROMPT_ECHO_OFF() ) {
$ans = $oldpassword if ($state == 0);
$ans = $newpassword if ($state == 1);
$ans = $newpassword if ($state == 2);
$state++;
}
push @res, (PAM_SUCCESS(),$ans);
}
push @res, PAM_SUCCESS();
return @res;
}
ref($pamh = new Authen::PAM($service, $username, \&my_conv_func)) ||
die "Error code $pamh during PAM init!"; $state = 0;
$res = $pamh->pam_chauthtok;
print $pamh->pam_strerror($res),"\n" unless $res == PAM_SUCCESS();

[download]

Edited by planetscape - added code tags

Replies are listed 'Best First'.
Re: Authen PAM security question
by shmem (Chancellor) on Apr 10, 2007 at 13:03 UTC
    I am planning to use the below the Authen PAM script( Example from the CPAN site) from mod_perl

    Will the username,password we supply can be monitored on the server using ps -ef command?

    Via ps - but not necessarily with the -ef options, more likely with ps axe (BSD style) - they will only be visible if they are exported into the environment (i.e. somehow accessible inside the perl script through the %ENV hash). But there are other methods to intercept them on a server, e.g. sniffing the network or tracing the apache process.

    update - be aware also, that changing authentication tokens will only succeed if the process doing that runs under UID 0, that is, as root.

    --shmem 

    _($_=" "x(1<<5)."?\n".q·/)Oo.  G°\        /
                              /\_¯/(q    /
----------------------------  \__(m.====·.(_("always off the crowd"))."·
");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}
[reply]
[d/l]
[select]
      Thanks a lot for the reply
[reply]

Back to Seekers of Perl Wisdom