[4662] in WWW Security List Archive
Re: changing passwords
daemon@ATHENA.MIT.EDU (Ed. Lott)
Wed Mar 5 08:19:40 1997
Date: Wed, 05 Mar 1997 05:06:12 -0600
To: Ammon <ammon@ikx.org>
From: "Ed. Lott" <edlott@IBM.NET>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Ammon:
I haven't tried this, but I think that you should be able to:
1. Write a HTML FORM to accept the userid, old password,
and new password
2. Write a CGI script written in expect to change the UNIX password
on the web server machine and send the output back to the user.
3. Use NIS, NIS+, rcp, etc possibly invoked from cron to
migrate the password file to the other servers (i.e. mail,
dial in access, news, etc).
Notes:
CGI scripts can be written in many languages including
bourne shell (sh), bourne again shell (bash), c shell (csh),
compiled programs, expect, etc.. expect is a scripting
language used to automate even difficult to automate UNIX
commands such as fsck and passwd. expect was developed by
Don Libes of the U.S. National Institute of Standards and
Technology (NIST).
You should consider a SSL enabled web server to pass the
userid and password across the network.
Please address any comments via e-mail to me and the list.
Please address any flames via e-mail directly to me.
Ed. Lott ( edlott@ibm.net)
----------------------------------------------------------------------
At 07:13 PM 3/3/97 -0600, Ammon wrote:
>>Being an administrator for an ISP I've always had many clients
>>requesting some Web interface for changing passwords. I guess with
>
>>
>>Does anybody have any idea how it could be done?
>
>Well...this may or may not work, but here is what I am thinking: Write a
>program that connects to a port on your computer (CGI prog). On this port
>could be another program listening that allows users to enter in their
>password. Write up a cgi program/form to send information to this port, and
>you're all set. One thing you may want to do first: encrypt the string
>(even if it's 'encrypted' in uuencode) before you pass it to the server, so
>that anyone sniffing can't take a look at it. Make sure you make the cgi
>prog and the port listener bug-free, because if I were to go after your
>server, then one of the first things that I would do would be to see if
>there are any bugs in that program (such as telling someone that a user
>name does or does not exist, that the entered in the wrong password first,
>etc.). Also, make sure you log accesses to that program on the port (and
>the web accesses to the page) to make sure that there is not suspicious
>activity going on. As an added measure of security (though this can be
>sucremvated --sorry, bad speller-- if the attacker has the right tools),
>check the IP address of the person accessing the web page/program to make
>sure they are on your ISP. All of these things will deter anyone but the
>most absolutely determined attackers.
>
>I had a similar thing like this, where I had a program to set up user's
>passwords through htpasswd. Well....that's how i'd probally do it, at
least :)
>
>
>
>
> ____ _ _ _ _ ____ __ _
> |--| o |\/| o |\/| o [__] o | \|
>
> a m m o n @ i k x . o r g
> i k x . o r g / ~ a m m o n
>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>"Everyone has a talent. What is rare is the courage to
>follow that talent to the dark place where it leads."
>
>"A riot is the language of the unheard."
>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>___ __ __ __ __ __
> | |__) _) /__ / \ / \ take back alt.2600
> | |__) /__ \__) \__/ \__/ http://tb2600.home.ml.org
>
>
