From owner-freebsd-isp Sun Aug 17 19:38:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA14094 for isp-outgoing; Sun, 17 Aug 1997 19:38:14 -0700 (PDT) Received: from absinthe.i3inc.com (Absinthe.i3inc.com [208.218.26.194]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA14088 for ; Sun, 17 Aug 1997 19:38:09 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by absinthe.i3inc.com (8.7.2/8.7.2) with SMTP id VAA28188; Sun, 17 Aug 1997 21:40:34 -0400 (EDT) Message-Id: <199708180140.VAA28188@absinthe.i3inc.com> X-Authentication-Warning: absinthe.i3inc.com: Host localhost [127.0.0.1] didn't use HELO protocol To: ulf@alameda.net Cc: isp@freebsd.org Subject: Re: Changing password via web ? In-Reply-To: Your message of "Sun, 17 Aug 1997 15:56:02 -0700 (PDT)" References: <199708172256.PAA23248@Gatekeeper.Alameda.net> X-Mailer: Mew version 1.03 on Emacs 19.34.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 17 Aug 1997 21:40:33 -0400 From: Chris Shenton Sender: owner-freebsd-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 17 Aug 1997 15:56:02 -0700 (PDT) Ulf Zimmermann wrote: ulf> Is anyone offering this to their customers ? (certainly via ulf> secure server ;-) ) We have many web/ftp only customers and I ulf> don't really want to explain them how to telnet, just to change ulf> their password (as that also is not secure). So I am looking for ulf> a way to let the people change the password via a web page. ulf> Enter old password, twice new password. ulf> ulf> Any tips ? Anyone who is doing this ? I'm doing this for a RADIUS server database I set-up at NASA/HQ. I wrote a bunch of scripts to allow an non-tech to enter a name, lookup in our X.500, find the unique username, instantiate RADIUS fields (auto-generated password, expiration date, etc), confirm, then store to a DBM file. When the user wants to change their password, they go to a different web form, enter username, old password, and new password twice. A script runs nightly to send 14, 7, 3, and 0-day reminders that their password is about to expire. Folks -- admin and user -- seem to like it: it's easy to use. It's all done on Stronghold's commercial Apache+SSL, on a 586 running Solaris. We have a cert from Veri$ign. I wrote it in Perl. I can send you the password changing code, or any of the rest of it if wanted, but it's kinda specific to HQ's infrastructure -- it depends heavily on X.500 directory user information. I also hacked Ascend's RADIUS to use encrypted-in-DBM passwords, rather than clear-text. But if you want to blow-off the HQ, X.500, and radius hacks and just use the bits, feel free. The password stuff uses a bunch of Perl library routines I wrote for the admin part, but it should be readable enough. Let me know if you want it. Send to my work address, . PS: the Perl isn't that great -- it was one of my first Perl programs of any complexity. If I knew Perl5 I would have done a better job. Actually, if I were to do it again, I'd force myself to learn Java and do it that way. :-)