Authenticate a user using same password as linux password

We're working on an intranet site where we will require user's to only
be able to access their own page in some instances. Rather than
introducing another password to the mix, we were thinking about seeing
if we could use the same credentials (username and password) as their
linux credentials. The web site will be running off of the same machine
that we want to access the credentials on.

Thanx!
-joltman

joltman,
> We're working on an intranet site where we will require user's to only
> be able to access their own page in some instances. Rather than
> introducing another password to the mix, we were thinking about seeing
> if we could use the same credentials (username and password) as their
> linux credentials. The web site will be running off of the same machine
> that we want to access the credentials on.

I would advice against this as PHP/Apache would need read access to the
linux password file. Although it is possible. You would read the linux
password file with the usernames and passwords and use the same
algorithm for checking the passwords.

I forget exactly how the algorithm for checking works but you can do a
google search and find it.

Mike

joltman wrote:
>
> We're working on an intranet site where we will require user's to
only
> be able to access their own page in some instances. Rather than
> introducing another password to the mix, we were thinking about
seeing
> if we could use the same credentials (username and password) as their
> linux credentials. The web site will be running off of the same
machine
> that we want to access the credentials on.

The credentials (the user name and encrypted password) are available
for reading from Linux password file, /etc/password. If you know
what encryption is used on your Linux system and can reproduce it
with PHP, you should be able to authenticate against Linux' user
database.

As to being able "require users to only be able to access their own
page", this is going to be slightly more complicated. Usually, PHP
is configured as an Apache module, so any PHP application runs with
Apache's credentials. So you will have to either put access control
into your application logic or figure out a way to start your
application as a CGI program on behalf of a particular user...

Cheers,
NC

joltman <joltman@geocities.com> wrote:
> We're working on an intranet site where we will require user's to only
> be able to access their own page in some instances. Rather than
> introducing another password to the mix, we were thinking about seeing
> if we could use the same credentials (username and password) as their
> linux credentials. The web site will be running off of the same machine
> that we want to access the credentials on.

It's possible but like others have already stated: potenitally dangerous
since apache needs to be able to read the password files (/etc/shadow in
most cases). So use with care: http://pam.sourceforge.net/mod_auth_pam/

joltman wrote:
> We're working on an intranet site where we will require user's to only
> be able to access their own page in some instances. Rather than
> introducing another password to the mix, we were thinking about seeing
> if we could use the same credentials (username and password) as their
> linux credentials. The web site will be running off of the same machine
> that we want to access the credentials on.

Do the users log in via samba by any chance? if so, you might be able to
use something like winbind and htaccess to authenticate the users.
Obviously wouldn't work outside of the local samba network, though.

Well, they would be logging in from a Windows machine, if that would
work the same way as samba. It wouldn't be a problem only working in
the network, as that's the only place it will be used anyway.

joltman (joltman@geocities.com) wrote:
: Well, they would be logging in from a Windows machine, if that would
: work the same way as samba. It wouldn't be a problem only working in
: the network, as that's the only place it will be used anyway.

I would try to find a unix utility that handles this for you.

I would suggest "su" but I don't know off hand how to pass in the password
without a tty (though I suspect it is possible, perhaps something like
"expect" could do it).

_IF_ you could use su, then you would simply use it with no further ado.
You would call it with the username and password to run a script that does
the work for the user. Either it works if the login is correct, or fails
if it isn't. In either case you would not need access to the password
file, or need to write much code as "su" already does all the work. If
you research then I suspect that there are other utilities that could be
used in a similar manner, the fact that none spring to my mind just means
I have a lousy memory.

If you do this then you would need to protect the passords more carefully
though, because they would be more "valuable" since they access more stuff
than just a web page. That means using HTTPS so noone could snoop the
network and find peoples passwords.



--

This space not for rent.

You shouldn't do that. it isn't secure at all.

add a script to your system, when a new *nix user is created,then your
system can add the user to an .htpasswd file to be used with apache
mod_auth or something like that.
or better,use a database,ldap...

Mike Willbanks wrote:

> joltman,
>> We're working on an intranet site where we will require user's to only
>> be able to access their own page in some instances. Rather than
>> introducing another password to the mix, we were thinking about seeing
>> if we could use the same credentials (username and password) as their
>> linux credentials. The web site will be running off of the same machine
>> that we want to access the credentials on.
>
> I would advice against this as PHP/Apache would need read access to the
> linux password file. Although it is possible. You would read the linux
> password file with the usernames and passwords and use the same
> algorithm for checking the passwords.
>
> I forget exactly how the algorithm for checking works but you can do a
> google search and find it.
>

No it doesn't.

Linux, along with most flavours of *nix now implements PAM - (pluggable
authentication modules) these can be configured to authenticate using
old-fashioned /etc/passwd, shadow passwords, NIS[+], SMB, radius, kerberos
and more.

In order to access some of these resources (specifically shadow passwords)
the process must be running as 'root'. The process does not have to be
apache. It is fairly painless to create a suid program or daemon which
interfaces to PAM - there a couple of GPL programs available for squid (a
web proxy) which do exactly this (although they are setup to process lots
of requests per invocation - a single one may be more appropriate). Try the
squid web pages for more info.

C.

The only problem with that is that we are trying to avoid adding
another password to the mix, as most people already have 3 to deal with
(windows, e-mail, erp program)