Date: Fri, 11 Sep 1998 10:52:47 -0700 (PDT) From: patl@phoenix.volant.org To: Roman Katsnelson <romank@graphnet.com> Cc: "q's" <freebsd-questions@FreeBSD.ORG> Subject: Re: manual password encryption Message-ID: <ML-3.3.905536367.3448.patl@asimov> In-Reply-To: <35F93AC5.479E89D5@graphnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I would like to be able to verify user privileges with a web GUI. > Instead of keeping a separate file with unencrypted passwords, though, I > just wanna be able to verify them from passwd, for example: > > the $QUERY_STRING is blah.cgi?name=johnny&pwd=bgoode > > I wanna match this to: > > grep -e "$name" /etc/passwd | cut -d":" -f1 # will yield user name > grep -e "$name" /etc/passwd | cut -d":" -f2 # will yield password > > can I manually encrypt the value of $pwd in the above example so that it > matches the grep | cut output? > > I hope I explained that ok. Perl has the necessary functions to encrypt the password you are given and obtain the necessary passwd database entry. (They correspond to the equivalent C library functions.) BUT, do you REALLY want the user's passwords being transmitted in the clear in the HTTP request, potentially stored in browser history files, etc.? One solution to the first problem would be to use a secure server. In conjunction with recent browser releases, that should also handle the second problem. (But beware - older browsers kept secure requests in history and cache files.) Another potential solution would be to investigate the use of JavaScript to encrypt the password and send the encrypted value instead of the cleartext. Note that this will still allow snoopers to have access to any Web resources that the legitimate user can access with that password. One of the big advantages of the separate password file for Web auth checking is that it means you can, and should, have different passwords for shell/dialup login and Web access. -Pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ML-3.3.905536367.3448.patl>