First off, if you don't already know, the linux passwords are stored in the /etc/passwd file (unless you have a shadow suite installed, in which case /etc/shadow would be a good bet.) Basing this on a shadow file, the file is a text document with one user per line. The entries are stored in the following format: username:passwd:last:may:must:warn:expire:disable:reserved. All you really need for changing the password is the passwd section, although the other sections could be useful.
The password is not stored as plaintext, has been crypted (may be a new word...). Now, if you aren't familier with crypt, it is based on the DES, which is a symetrical algorithm. The password (called salt in this case) is a two character string chosen from [a-zA-Z0-9./]. This means there are (getting calculator out...) ((2)26+10+2)squared=4096 possible versions of the string. Now I don't know if a different salt is used for each user or if it is uniform throughout. I'll put together a script that crypts my password with every salt string possible and checks it against my shadow file, then tries that salt with other passwords on my box. Fun project. So basically, you would have to find the correct salt, crypt the new password, then use PHP's file functions to manipulate the passwd/shadow file- which brings up yet another problem- security. Do you really want to give PHP access to your passwd/shadow file??? Also, if I were you I would verify their old password too... just in case bob tries to change sue's password. If anything in here is outdated or just plain wrong please tell me. Evan Nemerson PS i thought /usr/bin/md5 should exist so here: #!/usr/local/bin/php -q <?php unset($argv); echo md5(trim(implode(" ",$argv)))."\n"; ?> On Thursday 04 October 2001 07:28 pm, you wrote: > What is the best way to change linux passwords using a web .PHP interface? > I currently allow FTP access to php enabled webhosting sites; which use > safe mode, thus use real linux accounts. > > Thus far I thought I would: > > Write a real short C program which would call allow to go > setpasswd <username> <passwd> > passwd could perhaps be the crypt() version to provide better > security? it would just call passwd, and ensure that username is not 'root' > and a few other accounts ;) > > Then I would put that program within the directory of executables allowed > in safe mode. And just have a plain http post form to update the password, > running over HTTPS. > > Does this seem a good plan ... or are there better? > > It also begs the question; how do I authenticate an account using php ... > to login to their 'change password' feature? I have already spent alot of > time trying to merge password files for different uses; Windows > shares, Linux ones, for samba, and this and that, so it'd be nice to now > have yet another passwd file :) > > Siggy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]