From owner-freebsd-questions  Fri Sep 11 10:53:08 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA04927
          for freebsd-questions-outgoing; Fri, 11 Sep 1998 10:53:08 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA04920
          for <freebsd-questions@freebsd.org>; Fri, 11 Sep 1998 10:53:04 -0700 (PDT)
          (envelope-from patl@phoenix.volant.org)
From: patl@phoenix.volant.org
Received: from asimov.phoenix.volant.org ([205.179.79.65])
	by phoenix.volant.org with smtp (Exim 1.92 #8)
	id 0zHXNK-0007iO-00; Fri, 11 Sep 1998 10:52:51 -0700
Received: from localhost by asimov.phoenix.volant.org (SMI-8.6/SMI-SVR4)
	id KAA26222; Fri, 11 Sep 1998 10:52:47 -0700
Date: Fri, 11 Sep 1998 10:52:47 -0700 (PDT)
Reply-To: patl@phoenix.volant.org
Subject: Re: manual password encryption
To: Roman Katsnelson <romank@graphnet.com>
cc: "q's" <freebsd-questions@FreeBSD.ORG>
In-Reply-To: <35F93AC5.479E89D5@graphnet.com>
Message-ID: <ML-3.3.905536367.3448.patl@asimov>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> I would like to be able to verify user privileges with a web GUI.
> Instead of keeping a separate file with unencrypted passwords, though, I
> just wanna be able to verify them from passwd, for example:
> 
> the $QUERY_STRING is blah.cgi?name=johnny&pwd=bgoode
> 
> I wanna match this to:
> 
> grep -e "$name" /etc/passwd | cut -d":" -f1 # will yield user name
> grep -e "$name" /etc/passwd | cut -d":" -f2 # will yield password
> 
> can I manually encrypt the value of $pwd in the above example so that it
> matches the grep | cut output?
> 
> I hope I explained that ok.

Perl has the necessary functions to encrypt the password you are given
and obtain the necessary passwd database entry.  (They correspond to
the equivalent C library functions.)

BUT, do you REALLY want the user's passwords being transmitted in the
clear in the HTTP request, potentially stored in browser history files,
etc.?

One solution to the first problem would be to use a secure server.  In
conjunction with recent browser releases, that should also handle the
second problem.  (But beware - older browsers kept secure requests in
history and cache files.)

Another potential solution would be to investigate the use of JavaScript
to encrypt the password and send the encrypted value instead of the
cleartext.  Note that this will still allow snoopers to have access to
any Web resources that the legitimate user can access with that password.

One of the big advantages of the separate password file for Web auth
checking is that it means you can, and should, have different passwords
for shell/dialup login and Web access.



-Pat

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message