Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting user passwords without using passwd?

Status
Not open for further replies.

Laberdabergunder

Programmer
Nov 4, 1999
1
SE
Hello!<br>

<br>

Can I in some way set passwords in Linux without using the passwd command?<br>

<br>

What I want to do is from cgi change a users password from the web.
 
Ouch! Changing user passwords from the WWW? Don't do it!!!!! Lots of nasty, nasty people who would just *love* to break in to your web page and start changing passwords on your system.<br>
<br>
If you *really* have to do it, though, maybe an 'expect' script would do the job for you. Caveat scriptor...<br>
<br>
If you're planning on doing this to save some time changing luser's passwords, you should maybe think about scheduling some time in to do extra security work...
 
From the WEB!?! I have to agree with AndyBo. if there's any way, Avoid it.<br>
if your scripts aren't airtight (and whose are?) you're practically giving your machine away.<br>
<br>
If its REALLY that important, change over to an NT box, and go in through BO2k, or PCanywhere. <br>
They're both more secure.<br>
<br>
If you're in a corporate environment, hire another Asst. sysadmin.
 
hi dear,
don't u worry ur problem is solved. this script would help u. this is written in expect. first download it and then compile it. now u have to make a web page containing a form and then give that form your user name, old passwd and new passwd and on submit call this cgi script. your password will change. variable or text boxes u required on ur web form are name, old, new1 and new2.
have fun dear.


#!/usr/local/src/expect-5.38/expect --

# This is a CGI script to process requests created by the accompanying
# passwd.html form. This script is pretty basic, although it is
# reasonably robust. (Purposely intent users can make the script bomb
# by mocking up their own HTML form, however they can't expose or steal
# passwords or otherwise open any security holes.) This script doesn't
# need any special permissions. The usual (ownership nobody) is fine.
#
# Don Libes, NIST

# Modified virtually beyond all recognition by
# Jim Levie (jim@entrophy-free.net) to work properly under Solaris or Linux.

puts &quot;Content-type: text/html\n&quot; ;# note extra newline

puts &quot;
<head>
<title>Passwd Change Acknowledgment</title>
</head>

<h2>Passwd Change Acknowledgment</h2>
&quot;

proc cgi2ascii {buf} {
regsub -all {\+} $buf { } buf
regsub -all {([\\[&quot;$])} $buf {\\\1} buf
regsub -all -nocase &quot;%0d%0a&quot; $buf &quot;\n&quot; buf
regsub -all -nocase {%([a-f0-9][a-f0-9])} $buf {[format %c 0x\1]} buf
eval return \&quot;$buf\&quot;
}

foreach pair [split [read stdin $env(CONTENT_LENGTH)] &] {
regexp (.*)=(.*) $pair dummy varname val
set val [cgi2ascii $val]
set var($varname) $val
}

log_user 0

proc errormsg {s} {puts &quot;<h3>Error: $s</h3>&quot;}
proc successmsg {s} {puts &quot;<h3>$s</h3>&quot;}
# Need to su first to get around passwd's requirement that passwd cannot
# be run by a totally unrelated user. Seems rather pointless since it's
# so easy to satisfy, eh?
#
# Solaris 2.6 & later needs the -r option to specify which
# password service (files, nis, nisplus) see man passwd. Linux
# has passwd in a different location and doesn't need the
# service specification. (Note that I no longer have anything
# earlier than 2.6 to test with, you've been warned... there be
# dragons here).
#
# BIG NOTE!!! Linux has to have the &quot;sleep 1&quot; between each of
# the &quot;expect/send&quot; pairs. It puts out the prompt before it's actually
# ready to take input. You can comment them out for Solaris, but
# it doesn't hurt for them to be there and might be a plus
# busy server. (there be really big dragons here...)
#
# Change as appropriate to reflect where your passwd executable is
#
# The next line (commented out) is for Solaris, the one following is
# for Linux
#
#spawn /bin/su $var(name) -c &quot;/bin/passwd -r files $var(name)&quot;
spawn /bin/su $var(name) -c &quot;/usr/bin/passwd&quot;

sleep 1
expect {
&quot;Unknown (login|id):&quot; {
errormsg &quot;unknown user: $var(name)&quot;
exit
} -re &quot;(.*) does not exist&quot; {
errormsg &quot;unknown user: $var(name)&quot;
exit
} default {
errormsg &quot;$expect_out(buffer)&quot;
exit
} &quot;Password:&quot;
}
send &quot;$var(old)\r&quot;
sleep 1
expect {
&quot;Sorry&quot; {
errormsg &quot;Old password incorrect&quot;
exit
} &quot;incorrect passwd&quot; {
errormsg &quot;Old password incorrect&quot;
exit
} default {
errormsg &quot;$expect_out(buffer)&quot;
exit
} -re &quot;(.*)(login|UNIX) password:&quot;
}
send &quot;$var(old)\r&quot;
sleep 1
expect {
&quot;Sorry&quot; {
errormsg &quot;Old password incorrect&quot;
exit
} default {
errormsg &quot;$expect_out(buffer)&quot;
exit
} -re &quot;New (.*)password:&quot;
}
send &quot;$var(new1)\r&quot;
sleep 1
expect {
-re &quot;passwd.SYSTEM.(.*)&quot; {
errormsg &quot;$expect_out(buffer)&quot;
exit
} -re &quot;BAD(.*)&quot; {
errormsg &quot;$expect_out(buffer)&quot;
exit
} &quot;passwd: Authentication token manipulation error&quot; {
errormsg &quot;Old Password incorrect&quot;
exit
} default {
errormsg &quot;Unknown error from passwd&quot;
exit
} -re &quot;Re(.*) password:&quot;
}
send &quot;$var(new2)\r&quot;
sleep 1
expect {
-re &quot;passwd(.*) try again&quot; {
errormsg &quot;$expect_out(buffer)&quot;
exit
} -re &quot;Sorry,(.*)&quot; {
errormsg &quot;$expect_out(buffer)&quot;
exit
} default {
errormsg &quot;Unknown error from passwd&quot;
exit
} -re &quot;(.*) successfully changed (.*)&quot; {
successmsg &quot;Password successfully changed&quot;
exit
} -re &quot;(.*) updated successfully&quot; {
successmsg &quot;Successfully updated password&quot;
exit
}
}
close
wait
 
Salman786, do you know that this post is 4 years old! I don't think this guy is still waiting for an answer....
 
Not sure if it was mature enough in '99 but webmin ( might be a solution for what he was looking to do. In short, it's a web-based administration tool and provides communication via an SSL-enabled browser. You can do everything from account management to process checking to simple disk administration. And it's free and open-source.

This approach may in fact be more secure than setting passwords in the traditional manner via telnet.
 
I think this is the oldest resurrection I have yet to see on Tek-Tips.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top