We're working on an intranet site where we will require user's to only
be able to access their own page in some instances. Rather than
introducing another password to the mix, we were thinking about seeing
if we could use the same credentials (username and password) as their
linux credentials. The web site will be running off of the same machine
that we want to access the credentials on.
Thanx!
-joltman 13 4233
joltman, We're working on an intranet site where we will require user's to only be able to access their own page in some instances. Rather than introducing another password to the mix, we were thinking about seeing if we could use the same credentials (username and password) as their linux credentials. The web site will be running off of the same machine that we want to access the credentials on.
I would advice against this as PHP/Apache would need read access to the
linux password file. Although it is possible. You would read the linux
password file with the usernames and passwords and use the same
algorithm for checking the passwords.
I forget exactly how the algorithm for checking works but you can do a
google search and find it.
Mike
joltman wrote: We're working on an intranet site where we will require user's to
only be able to access their own page in some instances. Rather than introducing another password to the mix, we were thinking about
seeing if we could use the same credentials (username and password) as their linux credentials. The web site will be running off of the same
machine that we want to access the credentials on.
The credentials (the user name and encrypted password) are available
for reading from Linux password file, /etc/password. If you know
what encryption is used on your Linux system and can reproduce it
with PHP, you should be able to authenticate against Linux' user
database.
As to being able "require users to only be able to access their own
page", this is going to be slightly more complicated. Usually, PHP
is configured as an Apache module, so any PHP application runs with
Apache's credentials. So you will have to either put access control
into your application logic or figure out a way to start your
application as a CGI program on behalf of a particular user...
Cheers,
NC
joltman <jo*****@geocities.com> wrote: We're working on an intranet site where we will require user's to only be able to access their own page in some instances. Rather than introducing another password to the mix, we were thinking about seeing if we could use the same credentials (username and password) as their linux credentials. The web site will be running off of the same machine that we want to access the credentials on.
It's possible but like others have already stated: potenitally dangerous
since apache needs to be able to read the password files (/etc/shadow in
most cases). So use with care: http://pam.sourceforge.net/mod_auth_pam/
joltman wrote: We're working on an intranet site where we will require user's to only be able to access their own page in some instances. Rather than introducing another password to the mix, we were thinking about seeing if we could use the same credentials (username and password) as their linux credentials. The web site will be running off of the same machine that we want to access the credentials on.
Do the users log in via samba by any chance? if so, you might be able to
use something like winbind and htaccess to authenticate the users.
Obviously wouldn't work outside of the local samba network, though.
Well, they would be logging in from a Windows machine, if that would
work the same way as samba. It wouldn't be a problem only working in
the network, as that's the only place it will be used anyway.
joltman (jo*****@geocities.com) wrote:
: Well, they would be logging in from a Windows machine, if that would
: work the same way as samba. It wouldn't be a problem only working in
: the network, as that's the only place it will be used anyway.
I would try to find a unix utility that handles this for you.
I would suggest "su" but I don't know off hand how to pass in the password
without a tty (though I suspect it is possible, perhaps something like
"expect" could do it).
_IF_ you could use su, then you would simply use it with no further ado.
You would call it with the username and password to run a script that does
the work for the user. Either it works if the login is correct, or fails
if it isn't. In either case you would not need access to the password
file, or need to write much code as "su" already does all the work. If
you research then I suspect that there are other utilities that could be
used in a similar manner, the fact that none spring to my mind just means
I have a lousy memory.
If you do this then you would need to protect the passords more carefully
though, because they would be more "valuable" since they access more stuff
than just a web page. That means using HTTPS so noone could snoop the
network and find peoples passwords.
--
This space not for rent.
You shouldn't do that. it isn't secure at all.
add a script to your system, when a new *nix user is created,then your
system can add the user to an .htpasswd file to be used with apache
mod_auth or something like that.
or better,use a database,ldap...
Mike Willbanks wrote: joltman, We're working on an intranet site where we will require user's to only be able to access their own page in some instances. Rather than introducing another password to the mix, we were thinking about seeing if we could use the same credentials (username and password) as their linux credentials. The web site will be running off of the same machine that we want to access the credentials on.
I would advice against this as PHP/Apache would need read access to the linux password file. Although it is possible. You would read the linux password file with the usernames and passwords and use the same algorithm for checking the passwords.
I forget exactly how the algorithm for checking works but you can do a google search and find it.
No it doesn't.
Linux, along with most flavours of *nix now implements PAM - (pluggable
authentication modules) these can be configured to authenticate using
old-fashioned /etc/passwd, shadow passwords, NIS[+], SMB, radius, kerberos
and more.
In order to access some of these resources (specifically shadow passwords)
the process must be running as 'root'. The process does not have to be
apache. It is fairly painless to create a suid program or daemon which
interfaces to PAM - there a couple of GPL programs available for squid (a
web proxy) which do exactly this (although they are setup to process lots
of requests per invocation - a single one may be more appropriate). Try the
squid web pages for more info.
C.
The only problem with that is that we are trying to avoid adding
another password to the mix, as most people already have 3 to deal with
(windows, e-mail, erp program)
In article <11*********************@o13g2000cwo.googlegroups. com>,
"joltman" <jo*****@geocities.com> wrote: The only problem with that is that we are trying to avoid adding another password to the mix, as most people already have 3 to deal with (windows, e-mail, erp program)
Don't see a way around this problem. You can put passwords on pages
with Apache but the database is maintained separate from the Linux
passwd file. You could use NIS and use someone else's module: http://www.webweaving.org/mod_auth_m...mod_auth_nis.c
Alternately, you could "roll your own" Apache mod that does this for
you, but your web server would have to run as root.
Netscape's Enterprise Web server used to use LDAP for authentication
rather than the Apache .htaccess file approach. Since SUN bought
Netscape, I don't know what this product morphed into or if it would run
on Solaris X86. I'd forget about it running on Linux.
How important is this to you? Are you willing to commit programming
resources to it and maintain it later on?
--
DeeDee, don't press that button! DeeDee! NO! Dee...
joltman <jo*****@geocities.com> wrote: The only problem with that is that we are trying to avoid adding another password to the mix, as most people already have 3 to deal with (windows, e-mail, erp program)
e-mail? Is that a POP/IMAP account? You could use that to authenticate
with the IMAP functions.
joltman wrote: The only problem with that is that we are trying to avoid adding another password to the mix, as most people already have 3 to deal with (windows, e-mail, erp program)
One other possibility might be to use mysql to store your userids and
passwords. Then use pam_mysql for telnet access and mod_auth_mysql for
apache access.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Yes, it is POP, could you give me more information on this? This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Bonegavel |
last post by:
Going to sound strange, but here i go.
We use Windows 2000 AD for everything. However, we are also running
XAMPP (basically Apache, MySQL, PHP for windows) on a Windows box for
our Intranet. I...
|
by: Renato Neves |
last post by:
The following code is working fine, i can create the user in the Active
Directory and "enable" it.
My problem is that, when i'm trying to authenticate him, i can't get to
work!! The user and pass...
|
by: Bud |
last post by:
I would like to be able to pass a request to IIS to have a user name and
password authenticated against my Active Directory Users database. I'm
running Server 2003 however my web pages are build...
|
by: allenj |
last post by:
DB2 UDB 7.2 WSE
Fixpak 9
Linux Red Hat 7.3
A very strange thing just happened w/ my DB2 server. I am on Linux and
using NIS - the instance owner is in the servers /etc/passwd file.
Suddenly,...
|
by: Litening |
last post by:
Hi
Can someone please supply me with a program (perhaps the C source)
that authenticates a user on AIX (against the password/shadow/security
file(s))?
So far I have the following from IBM,...
|
by: ALI-R |
last post by:
I know how to authenticate to a webservice using either of these
ways(Assuming that rService represents the webservice):
1) rService.Credentials = new...
|
by: EricRybarczyk |
last post by:
I am starting a rewrite of an existing Classic ASP web site in ASP.NET 2.0.
The existing ASP application has several types of users, each with a separate
login process (separate login page,...
|
by: kevin.vaughan |
last post by:
Hello Everyone,
Is it possible to authenticate the windows password through Active
Directory?
If so, how would this be done.
I have a login screen in my application and am trying to set it up...
|
by: fomalhaut |
last post by:
Hi All,
I'm builing an application that requires domain admin access to run,
and I'm trying to allow for the application to be run as a normal user
and allow the user to provide it with a...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| |