By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,491 Members | 3,230 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,491 IT Pros & Developers. It's quick & easy.

Authenticate a user using same password as linux password

P: n/a
We're working on an intranet site where we will require user's to only
be able to access their own page in some instances. Rather than
introducing another password to the mix, we were thinking about seeing
if we could use the same credentials (username and password) as their
linux credentials. The web site will be running off of the same machine
that we want to access the credentials on.

Thanx!
-joltman

Jul 17 '05 #1
Share this Question
Share on Google+
13 Replies


P: n/a
joltman,
We're working on an intranet site where we will require user's to only
be able to access their own page in some instances. Rather than
introducing another password to the mix, we were thinking about seeing
if we could use the same credentials (username and password) as their
linux credentials. The web site will be running off of the same machine
that we want to access the credentials on.


I would advice against this as PHP/Apache would need read access to the
linux password file. Although it is possible. You would read the linux
password file with the usernames and passwords and use the same
algorithm for checking the passwords.

I forget exactly how the algorithm for checking works but you can do a
google search and find it.

Mike
Jul 17 '05 #2

P: n/a
NC
joltman wrote:

We're working on an intranet site where we will require user's to only be able to access their own page in some instances. Rather than
introducing another password to the mix, we were thinking about seeing if we could use the same credentials (username and password) as their
linux credentials. The web site will be running off of the same machine that we want to access the credentials on.


The credentials (the user name and encrypted password) are available
for reading from Linux password file, /etc/password. If you know
what encryption is used on your Linux system and can reproduce it
with PHP, you should be able to authenticate against Linux' user
database.

As to being able "require users to only be able to access their own
page", this is going to be slightly more complicated. Usually, PHP
is configured as an Apache module, so any PHP application runs with
Apache's credentials. So you will have to either put access control
into your application logic or figure out a way to start your
application as a CGI program on behalf of a particular user...

Cheers,
NC

Jul 17 '05 #3

P: n/a
joltman <jo*****@geocities.com> wrote:
We're working on an intranet site where we will require user's to only
be able to access their own page in some instances. Rather than
introducing another password to the mix, we were thinking about seeing
if we could use the same credentials (username and password) as their
linux credentials. The web site will be running off of the same machine
that we want to access the credentials on.


It's possible but like others have already stated: potenitally dangerous
since apache needs to be able to read the password files (/etc/shadow in
most cases). So use with care: http://pam.sourceforge.net/mod_auth_pam/

Jul 17 '05 #4

P: n/a
joltman wrote:
We're working on an intranet site where we will require user's to only
be able to access their own page in some instances. Rather than
introducing another password to the mix, we were thinking about seeing
if we could use the same credentials (username and password) as their
linux credentials. The web site will be running off of the same machine
that we want to access the credentials on.


Do the users log in via samba by any chance? if so, you might be able to
use something like winbind and htaccess to authenticate the users.
Obviously wouldn't work outside of the local samba network, though.
Jul 17 '05 #5

P: n/a
Well, they would be logging in from a Windows machine, if that would
work the same way as samba. It wouldn't be a problem only working in
the network, as that's the only place it will be used anyway.

Jul 17 '05 #6

P: n/a
joltman (jo*****@geocities.com) wrote:
: Well, they would be logging in from a Windows machine, if that would
: work the same way as samba. It wouldn't be a problem only working in
: the network, as that's the only place it will be used anyway.

I would try to find a unix utility that handles this for you.

I would suggest "su" but I don't know off hand how to pass in the password
without a tty (though I suspect it is possible, perhaps something like
"expect" could do it).

_IF_ you could use su, then you would simply use it with no further ado.
You would call it with the username and password to run a script that does
the work for the user. Either it works if the login is correct, or fails
if it isn't. In either case you would not need access to the password
file, or need to write much code as "su" already does all the work. If
you research then I suspect that there are other utilities that could be
used in a similar manner, the fact that none spring to my mind just means
I have a lousy memory.

If you do this then you would need to protect the passords more carefully
though, because they would be more "valuable" since they access more stuff
than just a web page. That means using HTTPS so noone could snoop the
network and find peoples passwords.

--

This space not for rent.
Jul 17 '05 #7

P: n/a
You shouldn't do that. it isn't secure at all.

add a script to your system, when a new *nix user is created,then your
system can add the user to an .htpasswd file to be used with apache
mod_auth or something like that.
or better,use a database,ldap...

Jul 17 '05 #8

P: n/a
Mike Willbanks wrote:
joltman,
We're working on an intranet site where we will require user's to only
be able to access their own page in some instances. Rather than
introducing another password to the mix, we were thinking about seeing
if we could use the same credentials (username and password) as their
linux credentials. The web site will be running off of the same machine
that we want to access the credentials on.


I would advice against this as PHP/Apache would need read access to the
linux password file. Although it is possible. You would read the linux
password file with the usernames and passwords and use the same
algorithm for checking the passwords.

I forget exactly how the algorithm for checking works but you can do a
google search and find it.


No it doesn't.

Linux, along with most flavours of *nix now implements PAM - (pluggable
authentication modules) these can be configured to authenticate using
old-fashioned /etc/passwd, shadow passwords, NIS[+], SMB, radius, kerberos
and more.

In order to access some of these resources (specifically shadow passwords)
the process must be running as 'root'. The process does not have to be
apache. It is fairly painless to create a suid program or daemon which
interfaces to PAM - there a couple of GPL programs available for squid (a
web proxy) which do exactly this (although they are setup to process lots
of requests per invocation - a single one may be more appropriate). Try the
squid web pages for more info.

C.
Jul 17 '05 #9

P: n/a
The only problem with that is that we are trying to avoid adding
another password to the mix, as most people already have 3 to deal with
(windows, e-mail, erp program)

Jul 17 '05 #10

P: n/a
In article <11*********************@o13g2000cwo.googlegroups. com>,
"joltman" <jo*****@geocities.com> wrote:
The only problem with that is that we are trying to avoid adding
another password to the mix, as most people already have 3 to deal with
(windows, e-mail, erp program)


Don't see a way around this problem. You can put passwords on pages
with Apache but the database is maintained separate from the Linux
passwd file. You could use NIS and use someone else's module:

http://www.webweaving.org/mod_auth_m...mod_auth_nis.c

Alternately, you could "roll your own" Apache mod that does this for
you, but your web server would have to run as root.

Netscape's Enterprise Web server used to use LDAP for authentication
rather than the Apache .htaccess file approach. Since SUN bought
Netscape, I don't know what this product morphed into or if it would run
on Solaris X86. I'd forget about it running on Linux.

How important is this to you? Are you willing to commit programming
resources to it and maintain it later on?

--
DeeDee, don't press that button! DeeDee! NO! Dee...

Jul 17 '05 #11

P: n/a
joltman <jo*****@geocities.com> wrote:
The only problem with that is that we are trying to avoid adding
another password to the mix, as most people already have 3 to deal with
(windows, e-mail, erp program)


e-mail? Is that a POP/IMAP account? You could use that to authenticate
with the IMAP functions.

Jul 17 '05 #12

P: n/a
joltman wrote:
The only problem with that is that we are trying to avoid adding
another password to the mix, as most people already have 3 to deal with
(windows, e-mail, erp program)


One other possibility might be to use mysql to store your userids and
passwords. Then use pam_mysql for telnet access and mod_auth_mysql for
apache access.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jul 17 '05 #13

P: n/a
Yes, it is POP, could you give me more information on this?

Jul 17 '05 #14

This discussion thread is closed

Replies have been disabled for this discussion.