From owner-freebsd-stable Wed Oct 23 9:24:53 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E718937B401 for ; Wed, 23 Oct 2002 09:24:51 -0700 (PDT) Received: from topperwein.dyndns.org (acs-24-154-51-184.zoominternet.net [24.154.51.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DD8243E4A for ; Wed, 23 Oct 2002 09:24:51 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein.pennasoft.com ([192.168.168.10]) by topperwein.dyndns.org (8.12.6/8.12.5) with ESMTP id g9NGOoTZ047991 for ; Wed, 23 Oct 2002 12:24:50 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Wed, 23 Oct 2002 12:24:45 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD-Stable Subject: Re: Password Authentication question In-Reply-To: <20021023111243.D82804-100000@earl-grey.cloud9.net> Message-ID: <20021023121442.X47335-100000@topperwein.pennasoft.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 23 Oct 2002, Mark Hennessy wrote: > If I'm sending to the wrong list, please direct me to the list I should be > sending this question to. > > I'm using FreeBSD version 4.5 and NIS. > > This application is to run on my NIS Master Server. > > I am trying to create an application that uses my existing passwd file to > authenticate users via a web form. The user that the web server is > running its threads as is of course NOT root. I have tried getpwnam and > getpwuid in Perl, and the results returned for the password is "*" and not > the crypted password. I have tried Authen::PAM, but I cannot get it to > work under FreeBSD 4.5 and for reasons outside of my control, it is not an > option for me to upgrade to FreeBSD 4.7. I was wondering if there might > be any other alternative to perform the authentication test that does not > involve sending password information cleartext across a network. I know > it creates a potential security risk, and I would try to build any > necessary checks into my application to try to reduce the risk. Generally, this has been regarded as a Bad Idea(tm), but if you really *must* do this, I'd suggest running a cron job to take the username and hashed password and use it to populate your web server's htpasswd file, and/or modify the NIS makefile to do this everytime you push a new passwd map to your slaves. Alternatively, you could have your CGI script get the hash via ypmatch, and then hash the input password with the same algorithm to compare the hashes. This wouldn't use Apache's password mechanism, though. It'd be far, far better just to keep the htpasswd and /etc/master.passwd files completely separate. Preventing cleartext passwords is easy: use https. The entire connection is then over SSL/TLS. -- Chris BeHanna http://www.pennasoft.com Principal Consultant PennaSoft Corporation chris@pennasoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message