[4734] in WWW Security List Archive
Re: changing passwords
daemon@ATHENA.MIT.EDU (Ed. Lott)
Sun Mar 9 15:43:17 1997
Date: Sun, 09 Mar 1997 12:45:45 -0600
To: Ammon <ammon@ikx.org>
From: "Ed. Lott" <edlott@IBM.NET>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
At 07:13 PM 3/3/97 -0600, Ammon wrote:
>>Being an administrator for an ISP I've always had many clients
>>requesting some Web interface for changing passwords. I guess with
>
>>
>>Does anybody have any idea how it could be done?
>
--------------------------------------------------------------------------
Below is a HTML form, CGI script using expect and example output
for a WEB interface for changing passwords. It needs a lot more
error checking in the script, however it does work as is. Please
note that it uses uncgi to put the form variables into UNIX
environment variables. If you have any questions, please feel
free to send me a note.
--------------------------------------------------------------------------
<HTML>
<!.>
<! passwd.htm password change form >
<!.>
<HEAD>
<TITLE> Password Change</TITLE>
</HEAD>
<BODY>
<H1>
Password Change
</H1>
<FORM METHOD="POST" ACTION="/cgi-bin/uncgi/passwd.ex">
<P>
USERID: <INPUT NAME="USERID" TYPE="TEXT" VALUE="" SIZE="8" ALIGN=right>
</P>
<P>
OLD PASSWORD: <INPUT NAME="OLDPASS" TYPE="PASSWORD" SIZE="8" ALIGN=right>
</P>
<P>
NEW PASSWORD: <INPUT NAME="NEWPASS" TYPE="PASSWORD" SIZE="8" ALIGN=right>
</P>
<P>
<INPUT NAME="SUBMIT:" TYPE="SUBMIT" VALUE="SUBMIT" ALIGN=right>
</P>
</FORM>
</BODY>
</HTML>
------------------------------------------------------------------------
#!/usr/bin/expect
#
# passwd.ex cgi script
#
log_user 1
set timeout 10
set send_slow {1 .100}
set W_USERID [set env(WWW_USERID)]
set W_OLDPASS [set env(WWW_OLDPASS)]
set W_NEWPASS [set env(WWW_NEWPASS)]
send_user "Content-type: text/html\n"
send_user "\n"
send_user "<HTML>\n"
send_user "<HEAD>\n"
send_user "<TITLE> Password Change </TITLE>\n"
send_user "</HEAD>\n"
send_user "<BODY>\n"
send_user "<H1> Password Change Using expect CGI </H1>\n"
send_user "<PRE>\n"
spawn telnet localhost
expect {
"login:" {send -s "$W_USERID\n"}
}
set timeout 5
expect {
"Password:" {send -s "$W_OLDPASS\n"}
}
expect {
timeout {send -s "passwd\n"}
'$' {send -s "passwd\n"}
}
log_user 1
expect {
timeout {send_user "passwd -1- timed out"
return}
"word:" {send -s "$W_OLDPASS\n"}
}
expect {
timeout {send_user "passwd -2- timed out"
return}
"word:" {send -s "$W_NEWPASS\n"}
}
expect {
timeout {send_user "passwd -3- timed out"
return}
"(again):" {send -s "$W_NEWPASS\n"}
}
expect {
timeout {send -s "logout\n"}
'$' {send -s "logout\n"}
}
send_user "</PRE>\n"
send_user "</BODY>\n"
send_user "</HTML>\n"
-------------------------------------------------------------------------
Password Change Using expect CGI
spawn telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Red Hat Linux release 4.0 (Colgate)
Kernel 2.0.20 on a i486
login: testuser
Password:
Last login: Sun Mar 9 11:01:17 from localhost
Entering /etc/bashrc
Exiting /etc/bashrc
[testuser@john53 testuser]$ passwd
Password:
New password:
New password (again):
Password changed
passwd: all authentication tokens updated successfully
[testuser@john53 testuser]$
