web-based password checking tool?

Joshua Lokken joshua.lokken at gmail.com
Tue Dec 14 11:13:11 PST 2004


On Tue, 14 Dec 2004 14:04:44 -0500, Alexander Chamandy
<bsdfreak at gmail.com> wrote:
> In that case, check out something like:
> http://rucus.ru.ac.za/~bvi/utils/webpass/
> 
> "Web Pass is a CGI script which allows users on a system to change
> their passwords via the web. This is useful for users with no shell
> access to the machine, but who still have 'real' accounts for things
> such as web space, ftp Samba and the like."
> 
> I hope this helps!
> 
> On Tue, 14 Dec 2004 16:02:46 -0300 (ART), Fernando Gleiser
> <fgleiser at cactus.fi.uba.ar> wrote:
> > On Tue, 14 Dec 2004, Alexander Chamandy wrote:
> >
> > > The solution I've seen people use in the past is Webmin
> > > (http://www.webmin.com/), but I haven't heard great things about its
> > > security.  I would use it cautiously if you are looking for that
> > > functionality.
> > 
> > Webmin is a different thing. it allows for web-based administration,
> > it isn't useful as a tool for users to change their passwords.
> > In order to use webmin for that, I'd have to add a webmin user for
> > every mail user and restrict the module set. It is just not worth it.
> >
> > I'm looking for something like some ISPs do: a form where you enter
> > your username, your old password and your new one (twice, for confirmation).
> >
> > I think I can hack a quick CGI script which does that, then checks the
> > parameters, and if everything is OK, hashes the new passwd and calls
> > something like
> > "echo ecnryptedpass | sudo pw usermod user -H 1"
> >
> > or something like that. But I prefer to use already made and tested
> > solutions.
> >
> >
> > > The problem I'd note is that in order to attain
> > > convenience in the traditional sense, one must generally sacrifice
> > > layers of security.  In this case, allowing a web interface to change
> > > users' authentication credentials provides risks (compromise,
> > > information leakage, etc.) and rewards (enhanced usability for novice
> > > users, added convenience).
> > 
> > Exactly. But I think in this case is justified. We're talking about
> > people who are not technical. It's the only way.


Alexander, please do not top-post.
http://www.html-faq.com/etiquette/?toppost

-- 
Joshua Lokken
Open Source Advocate


More information about the freebsd-questions mailing list