From 2093701338cf6d4531a33466cd64ad48bbf88856 Mon Sep 17 00:00:00 2001 From: ivan Date: Tue, 5 Feb 2002 16:48:27 +0000 Subject: [PATCH] web-based password changer! --- fs_passwd/fs_passwd | 2 +- fs_passwd/fs_passwd.cgi | 57 +++++++++++++++++++++++++++++++++++++++++++++ fs_passwd/fs_passwd.html | 25 ++++++++++++++++++++ httemplate/docs/passwd.html | 19 ++++++++++----- 4 files changed, 96 insertions(+), 7 deletions(-) create mode 100755 fs_passwd/fs_passwd.cgi create mode 100644 fs_passwd/fs_passwd.html diff --git a/fs_passwd/fs_passwd b/fs_passwd/fs_passwd index bcf09f1fe..0b467aefc 100755 --- a/fs_passwd/fs_passwd +++ b/fs_passwd/fs_passwd @@ -20,7 +20,7 @@ use vars qw($opt_f $opt_s); my($fs_passwdd_socket)="/usr/local/freeside/fs_passwdd_socket"; my($freeside_uid)=scalar(getpwnam('freeside')); -$ENV{'PATH'} ='/usr/bin:/usr/ucb:/bin'; +$ENV{'PATH'} ='/usr/local/bin:/usr/bin:/usr/ucb:/bin'; $ENV{'SHELL'} = '/bin/sh'; $ENV{'IFS'} = " \t\n"; $ENV{'CDPATH'} = ''; diff --git a/fs_passwd/fs_passwd.cgi b/fs_passwd/fs_passwd.cgi new file mode 100755 index 000000000..df6c7c8bf --- /dev/null +++ b/fs_passwd/fs_passwd.cgi @@ -0,0 +1,57 @@ +#!/usr/bin/perl -Tw + +use strict; +use Getopt::Std; +use Socket; +use IO::Handle; +use CGI; +use CGI::Carp qw(fatalsToBrowser); + +my $fs_passwdd_socket = "/usr/local/freeside/fs_passwdd_socket"; +my $freeside_uid = scalar(getpwnam('freeside')); + +$ENV{'PATH'} ='/usr/local/bin:/usr/bin:/usr/ucb:/bin'; +$ENV{'SHELL'} = '/bin/sh'; +$ENV{'IFS'} = " \t\n"; +$ENV{'CDPATH'} = ''; +$ENV{'ENV'} = ''; +$ENV{'BASH_ENV'} = ''; + +die "fs_passwd.cgi isn't running as freeside user\n" if $> != $freeside_uid; + +my $cgi = new CGI; + +$cgi->param('username') =~ /^([^\n]{0,255}$)/ or die "Illegal username"; +my $me = $1; + +$cgi->param('old_password') =~ /^([^\n]{0,255}$)/ or die "Illegal old_password"; +my $old_password = $1; + +$cgi->param('new_password') =~ /^([^\n]{0,255}$)/ or die "Illegal new_password"; +my $new_password = $1; + +die "New passwords don't match" + unless $new_password eq $cgi->param('new_password2'); + +socket(SOCK, PF_UNIX, SOCK_STREAM, 0) or die "socket: $!"; +connect(SOCK, sockaddr_un($fs_passwdd_socket)) or die "connect: $!"; +print SOCK join("\n", $me, $old_password, $new_password, '', ''), "\n"; +SOCK->flush; +my $error = ; +chomp $error; + +if ($error) { + die $error; +} else { + print < + + Password changed + + +

Password changed

+
Your password has been changed. + + +END +} diff --git a/fs_passwd/fs_passwd.html b/fs_passwd/fs_passwd.html new file mode 100644 index 000000000..fadc4df8b --- /dev/null +++ b/fs_passwd/fs_passwd.html @@ -0,0 +1,25 @@ + + + Change password + + +

Change password

+ + + + + + + + + + + + + +

Username
Current password
New password
Re-enter new password

+
+ + + diff --git a/httemplate/docs/passwd.html b/httemplate/docs/passwd.html index e5242c200..c4d91480c 100755 --- a/httemplate/docs/passwd.html +++ b/httemplate/docs/passwd.html @@ -3,14 +3,21 @@

fs_passwd

-You may use fs_passwd/fs_passwd as a "passwd", "chfn" and "chsh" replacement on your shell machine(s) to cause password, gecos and shell changes to update your freeside machine. This can pose a security risk if not configured correctly. Do not use this feature unless you understand what you are doing! +You may use fs_passwd/fs_passwd as a "passwd", "chfn" and "chsh" replacement on your shell machine(s) to cause password, gecos and shell changes to update your freeside machine. You can also use the fs_passwd/fs_passwd.html and fs_passwd/fs_passwd.cgi to run a public password change CGI on a public web server. This can pose a security risk if not configured correctly. Do not use this feature unless you understand what you are doing!

Currently it is assumed that the the crypt(3) function in the C library is the same on the Freeside machine as on the target machine.

Create a freeside account on the shell machine(s). -
Append the identity.pub from the freeside user on your freeside machine to the authorized_keys file of the newly created freeside user on the shell machine(s). +
Create a freeside account on the shell or web machine(s). +
Setup SSH keys: +
- As the freeside user (on your freeside machine), generate an authentication key using ssh-keygen. Since this is for unattended operation, use a blank passphrase. +
- Append the newly-created identity.pub file to ~root +/.ssh/authorized_keys on the shell or web machine(s). +
- Some new SSH v2 implementation accept v2 style keys only. Use the -t option to ssh-keygen, and append the created id_dsa.pub or id_rsa.pub to ~root/.ssh/authorized_keys2 on the remote machine(s). +
+
Copy fs_passwd/fs_passwdd to /usr/local/sbin on the shell or web machine(s). (chown freeside, chmod 500) +
Create /usr/local/freeside on the shell or web machine(s). (chown freeside, chmod 700) +
Run an iteration of "fs_passwd/fs_passwd_server user shell.machine" as the freeside user for each shell or web machine (this is a daemon process). user refers to the freeside user from the mapsecrets configuration file.
Copy fs_passwd/fs_passwd to /usr/local/bin on the shell machine(s). (chown freeside, chmod 4755). You may link it to passwd, chfn and chsh as well. -
Copy fs_passwd/fs_passwdd to /usr/local/sbin on the shell machine(s). (chown freeside, chmod 500) -
Create /usr/local/freeside on the shell machine(s). (chown freeside, chmod 700) -
Run an iteration of "fs_passwd/fs_passwd_server user shell.machine" as the freeside user for each shell machine (this is a daemon process). user refers to the freeside user from the mapsecrets configuration file. +
Copy fs_passwd/fs_passwd.cgi to the cgi-bin directory on your web machine(s). Use suEXEC or suidperl to run fs_passwd.cgi as the freeside user.

-- 2.11.0