From owner-freebsd-questions@FreeBSD.ORG Tue Dec 14 19:13:11 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FED316A4CF for ; Tue, 14 Dec 2004 19:13:11 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8254043D41 for ; Tue, 14 Dec 2004 19:13:08 +0000 (GMT) (envelope-from joshua.lokken@gmail.com) Received: by wproxy.gmail.com with SMTP id 55so10722wri for ; Tue, 14 Dec 2004 11:13:08 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=a3UszYqUWlY0X2FJLM3WqjQEJH2ZJ9Rve6TrsWU9muclpKeDXG3Cpd0s8kldzO12D0benKWhGa6jI3v4gjW+aH20OZ9eN8U4RKg4buWZ1TzoghkX4sYVhteL8vDUzV8gdV8gb0Mp2WKO43OzMSHW8ieQgYdspk8WjNDygbxIVII= Received: by 10.54.46.57 with SMTP id t57mr2909517wrt; Tue, 14 Dec 2004 11:13:07 -0800 (PST) Received: by 10.54.11.34 with HTTP; Tue, 14 Dec 2004 11:13:07 -0800 (PST) Message-ID: Date: Tue, 14 Dec 2004 13:13:07 -0600 From: Joshua Lokken To: Alexander Chamandy In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20041214153502.D24270@cactus.fi.uba.ar> <20041214154909.W24270@cactus.fi.uba.ar> cc: freebsd-questions@freebsd.org Subject: Re: web-based password checking tool? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Joshua Lokken List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 19:13:11 -0000 On Tue, 14 Dec 2004 14:04:44 -0500, Alexander Chamandy wrote: > In that case, check out something like: > http://rucus.ru.ac.za/~bvi/utils/webpass/ > > "Web Pass is a CGI script which allows users on a system to change > their passwords via the web. This is useful for users with no shell > access to the machine, but who still have 'real' accounts for things > such as web space, ftp Samba and the like." > > I hope this helps! > > On Tue, 14 Dec 2004 16:02:46 -0300 (ART), Fernando Gleiser > wrote: > > On Tue, 14 Dec 2004, Alexander Chamandy wrote: > > > > > The solution I've seen people use in the past is Webmin > > > (http://www.webmin.com/), but I haven't heard great things about its > > > security. I would use it cautiously if you are looking for that > > > functionality. > > > > Webmin is a different thing. it allows for web-based administration, > > it isn't useful as a tool for users to change their passwords. > > In order to use webmin for that, I'd have to add a webmin user for > > every mail user and restrict the module set. It is just not worth it. > > > > I'm looking for something like some ISPs do: a form where you enter > > your username, your old password and your new one (twice, for confirmation). > > > > I think I can hack a quick CGI script which does that, then checks the > > parameters, and if everything is OK, hashes the new passwd and calls > > something like > > "echo ecnryptedpass | sudo pw usermod user -H 1" > > > > or something like that. But I prefer to use already made and tested > > solutions. > > > > > > > The problem I'd note is that in order to attain > > > convenience in the traditional sense, one must generally sacrifice > > > layers of security. In this case, allowing a web interface to change > > > users' authentication credentials provides risks (compromise, > > > information leakage, etc.) and rewards (enhanced usability for novice > > > users, added convenience). > > > > Exactly. But I think in this case is justified. We're talking about > > people who are not technical. It's the only way. Alexander, please do not top-post. http://www.html-faq.com/etiquette/?toppost -- Joshua Lokken Open Source Advocate