Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 Oct 2002 12:24:45 -0400 (EDT)
From:      Chris BeHanna <behanna@zbzoom.net>
To:        FreeBSD-Stable <stable@freebsd.org>
Subject:   Re: Password Authentication question
Message-ID:  <20021023121442.X47335-100000@topperwein.pennasoft.com>
In-Reply-To: <20021023111243.D82804-100000@earl-grey.cloud9.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 23 Oct 2002, Mark Hennessy wrote:

> If I'm sending to the wrong list, please direct me to the list I should be
> sending this question to.
>
> I'm using FreeBSD version 4.5 and NIS.
>
> This application is to run on my NIS Master Server.
>
> I am trying to create an application that uses my existing passwd file to
> authenticate users via a web form.  The user that the web server is
> running its threads as is of course NOT root.  I have tried getpwnam and
> getpwuid in Perl, and the results returned for the password is "*" and not
> the crypted password.  I have tried Authen::PAM, but I cannot get it to
> work under FreeBSD 4.5 and for reasons outside of my control, it is not an
> option for me to upgrade to FreeBSD 4.7.  I was wondering if there might
> be any other alternative to perform the authentication test that does not
> involve sending password information cleartext across a network.  I know
> it creates a potential security risk, and I would try to build any
> necessary checks into my application to try to reduce the risk.

    Generally, this has been regarded as a Bad Idea(tm), but if you
really *must* do this, I'd suggest running a cron job to take the
username and hashed password and use it to populate your web server's
htpasswd file, and/or modify the NIS makefile to do this everytime you
push a new passwd map to your slaves.  Alternatively, you could have
your CGI script get the hash via ypmatch, and then hash the input
password with the same algorithm to compare the hashes.  This wouldn't
use Apache's password mechanism, though.

    It'd be far, far better just to keep the htpasswd and
/etc/master.passwd files completely separate.

    Preventing cleartext passwords is easy:  use https.  The entire
connection is then over SSL/TLS.

-- 
Chris BeHanna                      http://www.pennasoft.com
Principal Consultant
PennaSoft Corporation
chris@pennasoft.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021023121442.X47335-100000>