On Thu, 17 Feb 2005 13:06:21 -0500, Henry Ortega <[EMAIL PROTECTED]> wrote: > Is there a way to pass the password as a parameter > to /bin/login? > > Or is there any other command I can use to verify > if a certain username/password pair is valid?
you can write a program, make it suid (i've done it in C/C++, you could do it with a suidperl program, i guess), and then the program could read the shadow file directly. then you'd just do md5 (or DES crypt if that's an old distribution). i've done this, it's not hard. another approach (used it long ago), would be to open a socket connection to the pop3 server and try to authenticate. if your pop3 server uses /etc/shadow passwords, then that'll work too. this was easier for me than the previous try, your mileage might vary, depends on how familiar you are with socket programming. or how easy your programming language makes that :). you can also use expect or otherwise try to telnet into the box (firewall off the telnet port!). that would work too (did that really long ago, but for authenticating and then changing passwords via a web based interface). note: it's insecure to pass passwords on command lines since ps can see the command lines. it's also insecure to send the passwords through the environment since (apparently, i don't know how to do this) the environment can be listed too (although that might be root only, if it is, and if you trust root, then that's probably fine). you might want to consider opening a pipe between you and the child and passing the password there. if that box isn't really supposed to serve pop3 traffic, just firewall off port 110 and allow only localhost to connect to that port. > I am writing a PHP front end and I would love for it > to authenticate using the system username/passwords > and was thinking of just doing a popen() to a command > or shell script with very limited privleges. your command or script is going to be root to read the shadow file. you want to either use some sort of mandatory access controls or make your program very limited, so that it's so simple it's impossible to trick it into doing anything other than what you want it to. if you work in C, be *really* paranoid about buffer overflows. tiger -- Gerald Timothy Quimpo http://bopolissimus.blogspot.com [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Public Key: "gpg --keyserver pgp.mit.edu --recv-keys 672F4C78" Mene sakhet ur-seveh -- Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
