diff options
| author | ivan <ivan> | 2002-02-05 16:48:27 +0000 |
|---|---|---|
| committer | ivan <ivan> | 2002-02-05 16:48:27 +0000 |
| commit | 2093701338cf6d4531a33466cd64ad48bbf88856 (patch) | |
| tree | 12a94c70003e645a84d366c17662746c26332c4e | |
| parent | d7a54962112545979a1710f97dd5299fbd9c1aaf (diff) | |
web-based password changer!
| -rwxr-xr-x | fs_passwd/fs_passwd | 2 | ||||
| -rwxr-xr-x | fs_passwd/fs_passwd.cgi | 57 | ||||
| -rw-r--r-- | fs_passwd/fs_passwd.html | 25 | ||||
| -rwxr-xr-x | httemplate/docs/passwd.html | 19 |
4 files changed, 96 insertions, 7 deletions
diff --git a/fs_passwd/fs_passwd b/fs_passwd/fs_passwd index bcf09f1fe..0b467aefc 100755 --- a/fs_passwd/fs_passwd +++ b/fs_passwd/fs_passwd @@ -20,7 +20,7 @@ use vars qw($opt_f $opt_s); my($fs_passwdd_socket)="/usr/local/freeside/fs_passwdd_socket"; my($freeside_uid)=scalar(getpwnam('freeside')); -$ENV{'PATH'} ='/usr/bin:/usr/ucb:/bin'; +$ENV{'PATH'} ='/usr/local/bin:/usr/bin:/usr/ucb:/bin'; $ENV{'SHELL'} = '/bin/sh'; $ENV{'IFS'} = " \t\n"; $ENV{'CDPATH'} = ''; diff --git a/fs_passwd/fs_passwd.cgi b/fs_passwd/fs_passwd.cgi new file mode 100755 index 000000000..df6c7c8bf --- /dev/null +++ b/fs_passwd/fs_passwd.cgi @@ -0,0 +1,57 @@ +#!/usr/bin/perl -Tw + +use strict; +use Getopt::Std; +use Socket; +use IO::Handle; +use CGI; +use CGI::Carp qw(fatalsToBrowser); + +my $fs_passwdd_socket = "/usr/local/freeside/fs_passwdd_socket"; +my $freeside_uid = scalar(getpwnam('freeside')); + +$ENV{'PATH'} ='/usr/local/bin:/usr/bin:/usr/ucb:/bin'; +$ENV{'SHELL'} = '/bin/sh'; +$ENV{'IFS'} = " \t\n"; +$ENV{'CDPATH'} = ''; +$ENV{'ENV'} = ''; +$ENV{'BASH_ENV'} = ''; + +die "fs_passwd.cgi isn't running as freeside user\n" if $> != $freeside_uid; + +my $cgi = new CGI; + +$cgi->param('username') =~ /^([^\n]{0,255}$)/ or die "Illegal username"; +my $me = $1; + +$cgi->param('old_password') =~ /^([^\n]{0,255}$)/ or die "Illegal old_password"; +my $old_password = $1; + +$cgi->param('new_password') =~ /^([^\n]{0,255}$)/ or die "Illegal new_password"; +my $new_password = $1; + +die "New passwords don't match" + unless $new_password eq $cgi->param('new_password2'); + +socket(SOCK, PF_UNIX, SOCK_STREAM, 0) or die "socket: $!"; +connect(SOCK, sockaddr_un($fs_passwdd_socket)) or die "connect: $!"; +print SOCK join("\n", $me, $old_password, $new_password, '', ''), "\n"; +SOCK->flush; +my $error = <SOCK>; +chomp $error; + +if ($error) { + die $error; +} else { + print <<END; +<html> + <head> + <title>Password changed</title> + </head> + <body bgcolor="#e8e8e8"> + <h3>Password changed</h3> +<br>Your password has been changed. + </body> +</html> +END +} diff --git a/fs_passwd/fs_passwd.html b/fs_passwd/fs_passwd.html new file mode 100644 index 000000000..fadc4df8b --- /dev/null +++ b/fs_passwd/fs_passwd.html @@ -0,0 +1,25 @@ +<html> + <head> + <title>Change password</title> + </head> + <body bgcolor="#e8e8e8"> + <h3>Change password</h3> + <form action="/cgi-bin/fs_passwd.cgi" method="post"> + <table bgcolor="#cccccc" border=0 cellspacing=2> + <tr><th align="right">Username</th> + <td><input type="text" name="username" size="18"></td> + </tr> + <tr><th align="right">Current password</th> + <td><input type="password" name="old_password" size="18"></td> + </tr> + <tr><th align="right">New password</th> + <td><input type="password" name="new_password" size="18"></td> + </tr> + <tr><th align="right">Re-enter new password</th> + <td><input type="password" name="new_password2" size="18"></td> + </tr> + </table> + <br><input type="submit" value="Change password"> + </body> +</html> + diff --git a/httemplate/docs/passwd.html b/httemplate/docs/passwd.html index e5242c200..c4d91480c 100755 --- a/httemplate/docs/passwd.html +++ b/httemplate/docs/passwd.html @@ -3,14 +3,21 @@ </head> <body> <h1>fs_passwd</h1> -You may use fs_passwd/fs_passwd as a "passwd", "chfn" and "chsh" replacement on your shell machine(s) to cause password, gecos and shell changes to update your freeside machine. This can pose a security risk if not configured correctly. <b>Do not use this feature unless you understand what you are doing!</b> +You may use fs_passwd/fs_passwd as a "passwd", "chfn" and "chsh" replacement on your shell machine(s) to cause password, gecos and shell changes to update your freeside machine. You can also use the fs_passwd/fs_passwd.html and fs_passwd/fs_passwd.cgi to run a public password change CGI on a public web server. This can pose a security risk if not configured correctly. <b>Do not use this feature unless you understand what you are doing!</b> <br><br>Currently it is assumed that the the crypt(3) function in the C library is the same on the Freeside machine as on the target machine. <ul> - <li>Create a freeside account on the shell machine(s). - <li>Append the identity.pub from the freeside user on your freeside machine to the authorized_keys file of the newly created freeside user on the shell machine(s). + <li>Create a freeside account on the shell or web machine(s). + <li>Setup SSH keys: + <ul> + <li>As the freeside user (on your freeside machine), generate an authentication key using <a href="http://www.tac.eu.org/cgi-bin/man-cgi?ssh-keygen+1">ssh-keygen</a>. Since this is for unattended operation, use a blank passphrase. + <li>Append the newly-created <code>identity.pub</code> file to <code>~root +/.ssh/authorized_keys</code> on the shell or web machine(s). + <li>Some new SSH v2 implementation accept v2 style keys only. Use the <code>-t</code> option to <a href="http://www.tac.eu.org/cgi-bin/man-cgi?ssh-keygen+1">ssh-keygen</a>, and append the created <code>id_dsa.pub</code> or <code>id_rsa.pub</code> to <code>~root/.ssh/authorized_keys2</code> on the remote machine(s). + </ul> + <li>Copy fs_passwd/fs_passwdd to /usr/local/sbin on the shell or web machine(s). (chown freeside, chmod 500) + <li>Create /usr/local/freeside on the shell or web machine(s). (chown freeside, chmod 700) + <li>Run an iteration of "fs_passwd/fs_passwd_server <i>user</i> shell.machine" as the freeside user for each shell or web machine (this is a daemon process). <i>user</i> refers to the freeside user from the <a href="config.html">mapsecrets configuration file</a>. <li>Copy fs_passwd/fs_passwd to /usr/local/bin on the shell machine(s). (chown freeside, chmod 4755). You may link it to passwd, chfn and chsh as well. - <li>Copy fs_passwd/fs_passwdd to /usr/local/sbin on the shell machine(s). (chown freeside, chmod 500) - <li>Create /usr/local/freeside on the shell machine(s). (chown freeside, chmod 700) - <li>Run an iteration of "fs_passwd/fs_passwd_server <i>user</i> shell.machine" as the freeside user for each shell machine (this is a daemon process). <i>user</i> refers to the freeside user from the <a href="config.html">mapsecrets configuration file</a>. + <li>Copy fs_passwd/fs_passwd.cgi to the cgi-bin directory on your web machine(s). Use <a href="http://www.apache.org/docs/suexec.html">suEXEC</a> or <a href="http://www.perldoc.com/perl5.6.1/pod/perlsec.html">suidperl</a> to run fs_passwd.cgi as the freeside user. </ul> </body> |