Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Sep 1998 10:52:47 -0700 (PDT)
From:      patl@phoenix.volant.org
To:        Roman Katsnelson <romank@graphnet.com>
Cc:        "q's" <freebsd-questions@FreeBSD.ORG>
Subject:   Re: manual password encryption
Message-ID:  <ML-3.3.905536367.3448.patl@asimov>
In-Reply-To: <35F93AC5.479E89D5@graphnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
> I would like to be able to verify user privileges with a web GUI.
> Instead of keeping a separate file with unencrypted passwords, though, I
> just wanna be able to verify them from passwd, for example:
> 
> the $QUERY_STRING is blah.cgi?name=johnny&pwd=bgoode
> 
> I wanna match this to:
> 
> grep -e "$name" /etc/passwd | cut -d":" -f1 # will yield user name
> grep -e "$name" /etc/passwd | cut -d":" -f2 # will yield password
> 
> can I manually encrypt the value of $pwd in the above example so that it
> matches the grep | cut output?
> 
> I hope I explained that ok.

Perl has the necessary functions to encrypt the password you are given
and obtain the necessary passwd database entry.  (They correspond to
the equivalent C library functions.)

BUT, do you REALLY want the user's passwords being transmitted in the
clear in the HTTP request, potentially stored in browser history files,
etc.?

One solution to the first problem would be to use a secure server.  In
conjunction with recent browser releases, that should also handle the
second problem.  (But beware - older browsers kept secure requests in
history and cache files.)

Another potential solution would be to investigate the use of JavaScript
to encrypt the password and send the encrypted value instead of the
cleartext.  Note that this will still allow snoopers to have access to
any Web resources that the legitimate user can access with that password.

One of the big advantages of the separate password file for Web auth
checking is that it means you can, and should, have different passwords
for shell/dialup login and Web access.



-Pat

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ML-3.3.905536367.3448.patl>