topic Re: A perl script that interacts with user authentication. in Operating System - HP-UX

A perl script that interacts with user authentication.

Steven E. Protter — Fri, 12 Mar 2004 00:00:01 GMT

Based on this thread.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=502489

I'd like to see a perl script that does the following:

1) Authenticates that the user and password entered on a web form and only proceeeds if the user is properly authenticated.
2) An evaulation of the security risk of having such a script operate on the public Internet.

My squirrelmail authenticates in php just fine, I don't think its a security risk.

3) Script must be based on the latest verion of formscript. The formmail script that many use to send mail.

I'm attaching a copy of the perl script and will award 10 points to a working mod I can integrate into one of my scripts.

Please assume the fieldnames are thus:

username=username
password=password

Unless this is a spam risk.

I have searched http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=51050 and bit found anything that meets that spec.

Assume the system is NOT trusted but it would be useful and worth another rabbit if shadow passwords were in force.

SEP

Re: A perl script that interacts with user authentication.

Steven E. Protter — Fri, 26 Mar 2004 09:55:27 GMT

I would happily hand a bunny to anyone that could give me a working perl snippet that did the following:

1)Took the user id and password from a form and in a relatively safe method authenticated the user against /etc/passwd.

It sounds like a slam dunk for A. Clay or Merijn.

Thanks.

SEP

Re: A perl script that interacts with user authentication.

H.Merijn Brand (procura — Fri, 26 Mar 2004 10:05:31 GMT

# perldoc -f crypt would show you this:

$pwd = (getpwuid ($<))[1];

system "stty -echo";
print "Password: ";
chomp ($word = );
print "\n";
system "stty echo";

if (crypt ($word, $pwd) ne $pwd) {
die "Sorry...\n";
}
else {
print "ok\n";
}

Enjoy, Have FUN! H.Merijn

Re: A perl script that interacts with user authentication.

Steven E. Protter — Fri, 26 Mar 2004 10:10:21 GMT

That simple? I'm assuming the function is smart enough to know where the password file is, since its got to work on HP-UX and Linux.

I'm a little hazy on where the user id comes in, but will play with this over the weekend and point you asap.

Looks like a possible winner, though my pea brain molecules could use confirmation of what I just said or a little handholding explanation.

Thanks Sir. I have another one coming up for you where i need to get an oracle metalink page, which requires userid and password. I want to process it and check that my systems are current on oracle patches. First I want to get the back end working before I post.

SEP

Re: A perl script that interacts with user authentication.

Marvin Strong — Fri, 26 Mar 2004 11:57:00 GMT

Well I did it a bit different in a program I wrote a few years back. For a SUN box. That was also a web interface, to create or modify users. It actually much more complex than this, as I had a config file, that contained authorized users aswell. however the meat of your problem I addressed as follows:

maybe not the best solution but it worked.

sub verify_user {
my ($pass, $email);
my ($vuser, $guess) = @_;
open(SHADOW, "/etc/shadow") or die "unable to open /etc/shadow";
while() {
$pass = (split/:/, $_)[1] if m|^$vuser:|;
}
close(SHADOW);

if (crypt($guess, $pass) eq $pass) {
return($email);
} else {
&error(2,"Failed to authenticate: incorrect username or password");
}
}

Re: A perl script that interacts with user authentication.

Steven E. Protter — Fri, 26 Mar 2004 12:01:00 GMT

Excellent. I'll try them out. I'll admit I don't have a clue how either of these programs can work. An doc explaining that is something I'm hunting for in my perl book.

I smell rabbits out there for both of you guys.

SEP

Re: A perl script that interacts with user authentication.

H.Merijn Brand (procura — Fri, 26 Mar 2004 12:07:10 GMT

My snippet does not need to know where the password file is: getwduid () should and does. That looks up the password entry by user ID. If you wanna do it by name, use getpwnam ().

# perldoc -f getpwnam

Enjoy, Have FUN! H.Merijn

Re: A perl script that interacts with user authentication.

Steven E. Protter — Fri, 26 Mar 2004 12:11:07 GMT

That helps a lot Merijn. Its going to be fun trying this.

The reason for this is I'm setting up a few websites where authorized users will paste their content into a form and a perl script authetnicates and if authentication passes, generates html content on the site.

Its important that only authorized users update the site.

Thanks. Its always a pleasure working with you Merijn. I have a lot on my plate this weekend but will try and test this out.

SEP

Re: A perl script that interacts with user authentication.

Marvin Strong — Fri, 26 Mar 2004 12:22:49 GMT

I agree getpwnam is probably the way I would do it now. Instead of parsing the password file. However at the time I didn't know about getpwnam, but knew I could parse the password file.

my sub above works by passing into it the username and pw from your web form.

I also had another file, that I looked at so that only authorized users could use the form. So if the username was not in the authorized file, my script would error immediately without looking through the pw file.

Re: A perl script that interacts with user authentication.

Ralph Grothe — Fri, 26 Mar 2004 12:23:50 GMT

The Perl implementation of the getpw* functions is a direct mapping of the underlying namesake syscalls from the libc.
Therefore on Unices that conform to POSIX no weeding with group, passwd or shadow files should be necessary, as Merijn rightly stressed.

Re: A perl script that interacts with user authentication.

Steven E. Protter — Sun, 28 Mar 2004 11:46:34 GMT

Sounds like fun. Late this evening, preliminary test results should be available, along with point assignments. I'm just going to add some displays to my current experimental script and display validation results or any errors generated from your snippets.

SEP

Re: A perl script that interacts with user authentication.

Steven E. Protter — Tue, 30 Mar 2004 00:06:11 GMT

I have been playing with this and feeling stupid.

if user id is in a variable called
$user

and password is in variable called

$password

I use the function how?

Here is my hack.

verify_user( $password, $user);

sub verify_user {
my ($pass, $email);
my ($vuser, $guess) = @_;
open(SHADOW, "/etc/shadow") or die "unable to open /etc/shadow";
while() {
$pass = (split/:/, $_)[1] if m|^$vuser:|;
}
close(SHADOW);

if (crypt($guess, $pass) eq $pass) {
return($email);
} else {
&error(2,"Failed to authenticate: incorrect username or password");
}
}

I'm not thrilled with this approach, though its getting 9 points minimum, because its not portable. I want this form to work on an hpux system

Please correct me on my attempted usage. Its worth at least 8 points. This thread is officially a mother load.

Same Scenario, Merijn's code...

# how do i set the user id here.

$pwd = (getpwuid ($<))[1];

# don't need this line the web form handles
# system "stty -echo";
# webform gets the pasword to, but its
# great to know how to do it
# print "Password: ";
# webform gets it
# chomp ($word = );
# print "\n";
# system "stty echo";

#

if (crypt ($word, $pwd) ne $pwd) {
die "Sorry...\n";
}
else {
print "ok\n";
}

So Merijn's doesn't quite work in my mind, because i feel stupid today.

So if user id is set in $user and password is collected and in $password, how does your code work Merijn.

I know I'm dense today, but i was playing and blew up my form.

My form nicely unwebifys the data

SEP

Re: A perl script that interacts with user authentication.

H.Merijn Brand (procura — Tue, 30 Mar 2004 00:45:56 GMT

My snippet does not work because you do not have a user _ID_, but a user _name_, so you don't need getpwuid (), but getpwnam ()

Demo:
--8<---
lt09:/home/merijn 101 > perl -le'$,=", ";print getpwnam "merijn"'
merijn, SlpkWGvAcjWXI, 1903, 1900, , , H.Merijn Brand, /home/merijn, /bin/tcsh
lt09:/home/merijn 102 > perl -le'$,=", ";print getpwnam "hcgdft"'

lt09:/home/merijn 103 >
-->8---

So getpwnam returns an array if the user is found and valid, otherwise it's empty. No need to open a file.

So given $user, $password, and $email come from your web form:

--8<--- from your code
# how do i set the user id here.

@usr = getpwnam $user;
$usr[0] eq $user or die "This user is not known to this system\n"; # Use anything else for die if you don't want to die

$pwd = (getpwuid ($user))[1];

if (crypt ($word, $pwd) ne $pwd) {
die "Sorry...\n";
}
else {
print "ok\n";
}
-->8---

Still that simple. Sooo, turning that into your sub:

--8<---
sub verify_user ()
{
my @usr = getpwnam $user;
$usr[0] eq $user && # This user is not known to this system
crypt ($password, $usr[1]) eq $usr[1] and return $email;

error (2, "Failed to authenticate: incorrect username or password");
} # verify_user

verify_user ();
--8<---

Enjoy, Have FUN! H.Merijn

Re: A perl script that interacts with user authentication.

Marvin Strong — Tue, 30 Mar 2004 16:00:56 GMT

Here is my hack.

verify_user( $password, $user);

sub verify_user {
my ($pass, $email);
my ($vuser, $guess) = @_;

This failed because you passed password and user backwards into the sub routine.

You needed to do it in this order.
verify_user($user, $password);
($vuser, $guess) = @_;

For example:

verify_user(mstrong, test);

sub verify_user {
($vuser, $guess) = @_;
would do the following
$vuser = mstrong; $guess = password;

As for it being portable, yeah I agree it could have been much better.
You would also need to change /etc/shadow to /etc/passwd. And it will not work on a HPUX trusted machine.

The getpwnam way is the best, wish I would have known about it back when I wrote this kludge. But this was my first major perl project.

Re: A perl script that interacts with user authentication.

Marvin Strong — Tue, 30 Mar 2004 16:04:41 GMT

$guess = password;
should be
$guess = test; in my example above.

was in a hurry and didnt proofread it sorry.

Re: A perl script that interacts with user authentication.

Steven E. Protter — Tue, 30 Mar 2004 16:06:21 GMT

You have to use the function on hp-ux becasue if the system is trusted, there is no password information in /etc/passwd

Three possible authenthication scenarios in HP-UX

/etc/passwd
/etc/shadow #this is an available add in product
Trusted System # lots of little files for passwords.

You do get your points. I'm going to try this stuff out and the thread will be pinged to the top with actual error messages if the code fails.

SEP