From owner-freebsd-questions Thu Apr 8 15: 5:50 1999 Delivered-To: freebsd-questions@freebsd.org Received: from chain.freebsd.os.org.za (chain.freebsd.os.org.za [196.7.74.174]) by hub.freebsd.org (Postfix) with ESMTP id A651214D43 for ; Thu, 8 Apr 1999 15:05:33 -0700 (PDT) (envelope-from khetan@chain.freebsd.os.org.za) X-Disclaimer: Contents of this e-mail are the writer's opinion X-Disclaimer2: and may not be quoted, re-produced or forwarded X-Disclaimer3: (in part or whole) without the author's permission. Received: from localhost (khetan@localhost) by chain.freebsd.os.org.za (8.9.3+3.2W/8.9.3) with ESMTP id AAA70480; Fri, 9 Apr 1999 00:02:50 +0200 (SAST) (envelope-from khetan@chain.freebsd.os.org.za) Date: Fri, 9 Apr 1999 00:02:47 +0200 (SAST) From: Khetan Gajjar Reply-To: Khetan Gajjar To: Dibyo Gahari Cc: freebsd-questions@FreeBSD.ORG Subject: Re: how to change a password through a web page ? In-Reply-To: Message-ID: X-Mobile: +27 82 9907663 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Around Today, "Doug White" wrote : DW> > Where can I find a freeware script to realize it ? DW> DW> Everyone wants to do this, surely _SOMEONE_ has their code posed o a site DW> somewhere... Even better, I'll include one here. This was taken from somewhere (I forget where). Set httpd.server.name to the name that runs the script, and poppassd.server.name to the name of the server running Qualcomm's poppassd. I would personally recommend tcp_wrapping popassd so that it can only be accessed by the web server, to increase security slightly. I call it with a bit of HTML that looks like this : --sample passwd.html--
Enter your username (all lower case):

Enter your current password:

Select a new password:

Re-enter your new password for verification:

--sample passwd.html-- --/cgi-bin/change-pass.cgi-- #!/usr/bin/perl # # Simple POPPASSD Password Changer # mp@atlantic.net 2/1/97 # # Thanks to westnet.com for the idea; written cause I couldnt # get theirs to work. This one asks for username and password # and changes the password via POPPASSD. (There is a sample # index.html that goes with this. put it in a directory called # password under your document root, and then users can call # it like http://www.atlantic.net/password # # It uses your poppassd port to do the work, so it requires # you have it installed -- but that way it will honor any # type of security checks you want/have implemented. # Isn't that special? # # You will need to change the line with $clientid= # to your poppassd server -- this script can be run on a # different machine than where the poppassd program resides; # and you will have to change the "rawclient" line from # rio.atlantic.net to match the hostname of the host # this script runs from. # # If your looking for a link to the 'net, check out # http://www.atlantic.net; we work with ISPs/corporations/individuals # # Use @ your own risk! read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); # Split the name-value pairs @pairs = split(/&/, $buffer); foreach $pair (@pairs) { ($name, $value) = split(/=/, $pair); # Un-Webify plus signs and %-encoding $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $name =~ tr/+/ /; $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; # Set each variable if ($name eq "username") { $n=$value; } if ($name eq "oldpasswd") { $op=$value; } if ($name eq "passwd") { $np=$value; } if ($name eq "passwd1") { $np1=$value; } # Stop people from using subshells to execute commands # Not a big deal when using sendmail, but very important # when using UCB mail (aka mailx). # $value =~ s/~!/ ~!/g; # Uncomment for debugging purposes # print "Setting $name to $value

"; # $FORM{$name} = $value; } if ($np ne $np1) { $line="New Passwords Dont Match."; &error_out; } $port=106; $clientid="popassd.server.name"; while(getservbyport($port,"tcp")) { $port++; } ($d1,$d2,$prototype)=getprotobyname("tcp"); ($d1,$d2,$d3,$d4,$rawclient)=gethostbyname("httpd.server.name"); ($d1,$d2,$d3,$d4,$rawserver)=gethostbyname($clientid); $clientaddr=pack("Sna4x8",2,0,$rawclient); $serveraddr=pack("Sna4x8",2,$port,$rawserver); socket(SOCKET,2,1,$prototype) || die("No socket"); bind (SOCKET,$clientaddr) || die ("Can't bind"); $cstat=connect(SOCKET, $serveraddr); select(SOCKET); $|=1; if ($cstat != 0) { &get_reply; print SOCKET "user $n\n"; &get_reply; print SOCKET "pass $op\n"; &get_reply; print SOCKET "newpass $np\n"; &get_reply; select(STDOUT); printf("Content-type: text/html\n"); printf("\n"); printf("\n"); printf("Password Changed Successfully.\n"); printf("
\n"); printf("Your password has been changed successfully. It may take up\n"); printf("to 6 hours for your new password to take effect.
"); printf("
\n"); printf("$line
\n"); printf("
"); printf("\n"); exit(1); } else { $line="Password Server is not responding.\n"; &error_out; } close(SOCKET); exit(1); sub get_reply { $line=; $v=substr($line,0,3); if ($v ne "200") { &error_out; } } sub error_out { select(STDOUT); printf("Content-type: text/html\n"); printf("\n"); printf("\n"); printf("An error has occurred\n"); printf("
\n"); printf("We were unable to change your password. Please read the\n"); printf("diagnostic message below and try again. If you need additional\n"); printf("assistance, please send e-mail to webmaster\@dom.a.in with the following"); printf(" diagnostic message.

"); printf("
\n"); printf("$line
\n"); printf("
"); printf("Please go to http://httpd.server.name/blah.html to try again.\n"); printf("\n"); exit(1); } --/cgi-bin/change-pass.cgi-- --- Khetan Gajjar (!kg1779) * khetan@os.org.za http://www.os.org.za/~khetan * Talk/Finger khetan@chain.freebsd.os.org.za FreeBSD enthusiast * http://www2.za.freebsd.org/ Security-wise, NT is a OS with a "kick me" sign taped to it Reference : Date : Apr 8, 1999, 12:34pm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message