First off, if you don't already know, the linux passwords are stored in the
/etc/passwd file (unless you have a shadow suite installed, in which case
/etc/shadow would be a good bet.) Basing this on a shadow file, the file is a
text document with one user per line. The entries are stored in the following
format: username:passwd:last:may:must:warn:expire:disable:reserved. All you
really need for changing the password is the passwd section, although the
other sections could be useful.
The password is not stored as plaintext, has been crypted (may be a new
word...). Now, if you aren't familier with crypt, it is based on the DES,
which is a symetrical algorithm. The password (called salt in this case) is a
two character string chosen from [a-zA-Z0-9./]. This means there are (getting
calculator out...) ((2)26+10+2)squared=4096 possible versions of the string.
Now I don't know if a different salt is used for each user or if it is
uniform throughout. I'll put together a script that crypts my password with
every salt string possible and checks it against my shadow file, then tries
that salt with other passwords on my box. Fun project.
So basically, you would have to find the correct salt, crypt the new
password, then use PHP's file functions to manipulate the passwd/shadow file-
which brings up yet another problem- security. Do you really want to give PHP
access to your passwd/shadow file??? Also, if I were you I would verify their
old password too... just in case bob tries to change sue's password.
If anything in here is outdated or just plain wrong please tell me.
Evan Nemerson
PS i thought /usr/bin/md5 should exist so here:
#!/usr/local/bin/php -q
<?php
unset($argv[0]);
echo md5(trim(implode(" ",$argv)))."\n";
?>
On Thursday 04 October 2001 07:28 pm, you wrote:
> What is the best way to change linux passwords using a web .PHP interface?
> I currently allow FTP access to php enabled webhosting sites; which use
> safe mode, thus use real linux accounts.
>
> Thus far I thought I would:
>
> Write a real short C program which would call allow to go
> setpasswd <username> <passwd>
> passwd could perhaps be the crypt() version to provide better
> security? it would just call passwd, and ensure that username is not 'root'
> and a few other accounts ;)
>
> Then I would put that program within the directory of executables allowed
> in safe mode. And just have a plain http post form to update the password,
> running over HTTPS.
>
> Does this seem a good plan ... or are there better?
>
> It also begs the question; how do I authenticate an account using php ...
> to login to their 'change password' feature? I have already spent alot of
> time trying to merge password files for different uses; Windows
> shares, Linux ones, for samba, and this and that, so it'd be nice to now
> have yet another passwd file :)
>
> Siggy
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
