Re: web-based password checking tool?
Fernando Gleiser wrote: I need a web based tool to let the users change their passwords, since they don't have shell access, a web-based solution seems like the only way to let them do it without bothering the admins. I'm using cgipaf! Advantage: cracklib/dictionary and exclude words as passwords -- --- Frank Richter Max-Planck-Institut für Astronomie Königstuhl 17 D-69117 Heidelberg mailto:[EMAIL PROTECTED] phone: +49 6221 528267 --- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: web-based password checking tool?
The solution I've seen people use in the past is Webmin (http://www.webmin.com/), but I haven't heard great things about its security. I would use it cautiously if you are looking for that functionality. The problem I'd note is that in order to attain convenience in the traditional sense, one must generally sacrifice layers of security. In this case, allowing a web interface to change users' authentication credentials provides risks (compromise, information leakage, etc.) and rewards (enhanced usability for novice users, added convenience). - Hide quoted text - On Tue, 14 Dec 2004 15:41:07 -0300 (ART), Fernando Gleiser [EMAIL PROTECTED] wrote: I have a FreeBSD box with more then 400 accounts. the users are non-technical, administrative kind of persons. The box is working as a mail server, with sendmail as MTA and cyrus IMAPd, authenticating against the system files (/etc/master.passwd) not using SASL. I need a web based tool to let the users change their passwords, since they don't have shell access, a web-based solution seems like the only way to let them do it without bothering the admins. -- Best wishes, Alexander G. Chamandy Webmaster www.bsdfreak.org Your Source For BSD News! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: web-based password checking tool?
On Tue, 14 Dec 2004 15:41:07 -0300 (ART), Fernando Gleiser [EMAIL PROTECTED] wrote: I have a FreeBSD box with more then 400 accounts. the users are non-technical, administrative kind of persons. The box is working as a mail server, with sendmail as MTA and cyrus IMAPd, authenticating against the system files (/etc/master.passwd) not using SASL. I need a web based tool to let the users change their passwords, since they don't have shell access, a web-based solution seems like the only way to let them do it without bothering the admins. Usermin should do what you're wanting. It's similar to Webmin, which another poster recommended, but is meant for end-users rather than admins. /usr/ports/sysutils/usermin HTH, -- Joshua Lokken Open Source Advocate ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: web-based password checking tool?
In that case, check out something like: http://rucus.ru.ac.za/~bvi/utils/webpass/ Web Pass is a CGI script which allows users on a system to change their passwords via the web. This is useful for users with no shell access to the machine, but who still have 'real' accounts for things such as web space, ftp Samba and the like. I hope this helps! On Tue, 14 Dec 2004 16:02:46 -0300 (ART), Fernando Gleiser [EMAIL PROTECTED] wrote: On Tue, 14 Dec 2004, Alexander Chamandy wrote: The solution I've seen people use in the past is Webmin (http://www.webmin.com/), but I haven't heard great things about its security. I would use it cautiously if you are looking for that functionality. Webmin is a different thing. it allows for web-based administration, it isn't useful as a tool for users to change their passwords. In order to use webmin for that, I'd have to add a webmin user for every mail user and restrict the module set. It is just not worth it. I'm looking for something like some ISPs do: a form where you enter your username, your old password and your new one (twice, for confirmation). I think I can hack a quick CGI script which does that, then checks the parameters, and if everything is OK, hashes the new passwd and calls something like echo ecnryptedpass | sudo pw usermod user -H 1 or something like that. But I prefer to use already made and tested solutions. The problem I'd note is that in order to attain convenience in the traditional sense, one must generally sacrifice layers of security. In this case, allowing a web interface to change users' authentication credentials provides risks (compromise, information leakage, etc.) and rewards (enhanced usability for novice users, added convenience). Exactly. But I think in this case is justified. We're talking about people who are not technical. It's the only way. Fer -- Best wishes, Alexander G. Chamandy Webmaster www.bsdfreak.org Your Source For BSD News! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: web-based password checking tool?
Usermin (found from the same link) is probably a better tool, less security concerns. Also, both can be run with ssl and non-standard ports. Best, Jon - Original Message - From: Alexander Chamandy [EMAIL PROTECTED] Subject: Re: web-based password checking tool? : The solution I've seen people use in the past is Webmin : (http://www.webmin.com/), but I haven't heard great things about its : security. I would use it cautiously if you are looking for that : functionality. The problem I'd note is that in order to attain : convenience in the traditional sense, one must generally sacrifice : layers of security. In this case, allowing a web interface to change : users' authentication credentials provides risks (compromise, : information leakage, etc.) and rewards (enhanced usability for novice : users, added convenience). : - Hide quoted text - : : : On Tue, 14 Dec 2004 15:41:07 -0300 (ART), Fernando Gleiser : [EMAIL PROTECTED] wrote: : I have a FreeBSD box with more then 400 accounts. the users are : non-technical, administrative kind of persons. : : The box is working as a mail server, with sendmail as MTA and cyrus IMAPd, : authenticating against the system files (/etc/master.passwd) not using : SASL. : : I need a web based tool to let the users change their passwords, since : they don't have shell access, a web-based solution seems like the : only way to let them do it without bothering the admins. : : : -- : Best wishes, : : Alexander G. Chamandy : Webmaster : www.bsdfreak.org : Your Source For BSD News! : ___ : [EMAIL PROTECTED] mailing list : http://lists.freebsd.org/mailman/listinfo/freebsd-questions : To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: web-based password checking tool?
On Tue, 14 Dec 2004 14:04:44 -0500, Alexander Chamandy [EMAIL PROTECTED] wrote: In that case, check out something like: http://rucus.ru.ac.za/~bvi/utils/webpass/ Web Pass is a CGI script which allows users on a system to change their passwords via the web. This is useful for users with no shell access to the machine, but who still have 'real' accounts for things such as web space, ftp Samba and the like. I hope this helps! On Tue, 14 Dec 2004 16:02:46 -0300 (ART), Fernando Gleiser [EMAIL PROTECTED] wrote: On Tue, 14 Dec 2004, Alexander Chamandy wrote: The solution I've seen people use in the past is Webmin (http://www.webmin.com/), but I haven't heard great things about its security. I would use it cautiously if you are looking for that functionality. Webmin is a different thing. it allows for web-based administration, it isn't useful as a tool for users to change their passwords. In order to use webmin for that, I'd have to add a webmin user for every mail user and restrict the module set. It is just not worth it. I'm looking for something like some ISPs do: a form where you enter your username, your old password and your new one (twice, for confirmation). I think I can hack a quick CGI script which does that, then checks the parameters, and if everything is OK, hashes the new passwd and calls something like echo ecnryptedpass | sudo pw usermod user -H 1 or something like that. But I prefer to use already made and tested solutions. The problem I'd note is that in order to attain convenience in the traditional sense, one must generally sacrifice layers of security. In this case, allowing a web interface to change users' authentication credentials provides risks (compromise, information leakage, etc.) and rewards (enhanced usability for novice users, added convenience). Exactly. But I think in this case is justified. We're talking about people who are not technical. It's the only way. Alexander, please do not top-post. http://www.html-faq.com/etiquette/?toppost -- Joshua Lokken Open Source Advocate ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
