HPE Community
Operating System - HP-UX
1821537 Members
2333 Online
109633 Solutions
New Discussion юеВ

A perl script that interacts with user authentication.

 
SOLVED
Go to solution
Steven E. Protter
Exalted Contributor

тАО03-11-2004 04:00 PM

тАО03-11-2004 04:00 PM

A perl script that interacts with user authentication.

Based on this thread.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=502489

I'd like to see a perl script that does the following:

1) Authenticates that the user and password entered on a web form and only proceeeds if the user is properly authenticated.
2) An evaulation of the security risk of having such a script operate on the public Internet.

My squirrelmail authenticates in php just fine, I don't think its a security risk.

3) Script must be based on the latest verion of formscript. The formmail script that many use to send mail.

I'm attaching a copy of the perl script and will award 10 points to a working mod I can integrate into one of my scripts.

Please assume the fieldnames are thus:

username=username
password=password

Unless this is a spam risk.

I have searched http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=51050 and bit found anything that meets that spec.

Assume the system is NOT trusted but it would be useful and worth another rabbit if shadow passwords were in force.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
15 REPLIES 15
Steven E. Protter
Exalted Contributor

тАО03-26-2004 01:55 AM

тАО03-26-2004 01:55 AM

Re: A perl script that interacts with user authentication.

I would happily hand a bunny to anyone that could give me a working perl snippet that did the following:

1)Took the user id and password from a form and in a relatively safe method authenticated the user against /etc/passwd.

It sounds like a slam dunk for A. Clay or Merijn.

Thanks.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
H.Merijn Brand (procura
Honored Contributor

тАО03-26-2004 02:05 AM

тАО03-26-2004 02:05 AM

Re: A perl script that interacts with user authentication.

# perldoc -f crypt would show you this:

$pwd = (getpwuid ($<))[1];

system "stty -echo";
print "Password: ";
chomp ($word = );
print "\n";
system "stty echo";

if (crypt ($word, $pwd) ne $pwd) {
die "Sorry...\n";
}
else {
print "ok\n";
}

Enjoy, Have FUN! H.Merijn
Enjoy, Have FUN! H.Merijn
Reply
Steven E. Protter
Exalted Contributor

тАО03-26-2004 02:10 AM

тАО03-26-2004 02:10 AM

Re: A perl script that interacts with user authentication.

That simple? I'm assuming the function is smart enough to know where the password file is, since its got to work on HP-UX and Linux.

I'm a little hazy on where the user id comes in, but will play with this over the weekend and point you asap.

Looks like a possible winner, though my pea brain molecules could use confirmation of what I just said or a little handholding explanation.

Thanks Sir. I have another one coming up for you where i need to get an oracle metalink page, which requires userid and password. I want to process it and check that my systems are current on oracle patches. First I want to get the back end working before I post.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Marvin Strong
Honored Contributor

тАО03-26-2004 03:57 AM

тАО03-26-2004 03:57 AM

Re: A perl script that interacts with user authentication.

Well I did it a bit different in a program I wrote a few years back. For a SUN box. That was also a web interface, to create or modify users. It actually much more complex than this, as I had a config file, that contained authorized users aswell. however the meat of your problem I addressed as follows:

maybe not the best solution but it worked.

sub verify_user {
my ($pass, $email);
my ($vuser, $guess) = @_;
open(SHADOW, "/etc/shadow") or die "unable to open /etc/shadow";
while() {
$pass = (split/:/, $_)[1] if m|^$vuser:|;
}
close(SHADOW);

if (crypt($guess, $pass) eq $pass) {
return($email);
} else {
&error(2,"Failed to authenticate: incorrect username or password");
}
}
Reply
Steven E. Protter
Exalted Contributor

тАО03-26-2004 04:01 AM

тАО03-26-2004 04:01 AM

Re: A perl script that interacts with user authentication.

Excellent. I'll try them out. I'll admit I don't have a clue how either of these programs can work. An doc explaining that is something I'm hunting for in my perl book.

I smell rabbits out there for both of you guys.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
H.Merijn Brand (procura
Honored Contributor

тАО03-26-2004 04:07 AM

тАО03-26-2004 04:07 AM

Re: A perl script that interacts with user authentication.

My snippet does not need to know where the password file is: getwduid () should and does. That looks up the password entry by user ID. If you wanna do it by name, use getpwnam ().

# perldoc -f getpwnam

Enjoy, Have FUN! H.Merijn
Enjoy, Have FUN! H.Merijn
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО03-26-2004 04:11 AM

тАО03-26-2004 04:11 AM

Re: A perl script that interacts with user authentication.

That helps a lot Merijn. Its going to be fun trying this.

The reason for this is I'm setting up a few websites where authorized users will paste their content into a form and a perl script authetnicates and if authentication passes, generates html content on the site.

Its important that only authorized users update the site.

Thanks. Its always a pleasure working with you Merijn. I have a lot on my plate this weekend but will try and test this out.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Marvin Strong
Honored Contributor

тАО03-26-2004 04:22 AM

тАО03-26-2004 04:22 AM

Re: A perl script that interacts with user authentication.

I agree getpwnam is probably the way I would do it now. Instead of parsing the password file. However at the time I didn't know about getpwnam, but knew I could parse the password file.

my sub above works by passing into it the username and pw from your web form.


I also had another file, that I looked at so that only authorized users could use the form. So if the username was not in the authorized file, my script would error immediately without looking through the pw file.
0 Kudos
Reply
Ralph Grothe
Honored Contributor

тАО03-26-2004 04:23 AM

тАО03-26-2004 04:23 AM

Re: A perl script that interacts with user authentication.

The Perl implementation of the getpw* functions is a direct mapping of the underlying namesake syscalls from the libc.
Therefore on Unices that conform to POSIX no weeding with group, passwd or shadow files should be necessary, as Merijn rightly stressed.
Madness, thy name is system administration
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО03-28-2004 03:46 AM

тАО03-28-2004 03:46 AM

Re: A perl script that interacts with user authentication.

Sounds like fun. Late this evening, preliminary test results should be available, along with point assignments. I'm just going to add some displays to my current experimental script and display validation results or any errors generated from your snippets.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО03-29-2004 04:06 PM

тАО03-29-2004 04:06 PM

Re: A perl script that interacts with user authentication.

I have been playing with this and feeling stupid.

if user id is in a variable called
$user

and password is in variable called

$password

I use the function how?

Here is my hack.

verify_user( $password, $user);

sub verify_user {
my ($pass, $email);
my ($vuser, $guess) = @_;
open(SHADOW, "/etc/shadow") or die "unable to open /etc/shadow";
while() {
$pass = (split/:/, $_)[1] if m|^$vuser:|;
}
close(SHADOW);

if (crypt($guess, $pass) eq $pass) {
return($email);
} else {
&error(2,"Failed to authenticate: incorrect username or password");
}
}


I'm not thrilled with this approach, though its getting 9 points minimum, because its not portable. I want this form to work on an hpux system

Please correct me on my attempted usage. Its worth at least 8 points. This thread is officially a mother load.

Same Scenario, Merijn's code...


# how do i set the user id here.

$pwd = (getpwuid ($<))[1];

# don't need this line the web form handles
# system "stty -echo";
# webform gets the pasword to, but its
# great to know how to do it
# print "Password: ";
# webform gets it
# chomp ($word = );
# print "\n";
# system "stty echo";

#

if (crypt ($word, $pwd) ne $pwd) {
die "Sorry...\n";
}
else {
print "ok\n";
}

So Merijn's doesn't quite work in my mind, because i feel stupid today.

So if user id is set in $user and password is collected and in $password, how does your code work Merijn.

I know I'm dense today, but i was playing and blew up my form.

My form nicely unwebifys the data

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
H.Merijn Brand (procura
Honored Contributor

тАО03-29-2004 04:45 PM

тАО03-29-2004 04:45 PM

Solution

Re: A perl script that interacts with user authentication.

My snippet does not work because you do not have a user _ID_, but a user _name_, so you don't need getpwuid (), but getpwnam ()

Demo:
--8<---
lt09:/home/merijn 101 > perl -le'$,=", ";print getpwnam "merijn"'
merijn, SlpkWGvAcjWXI, 1903, 1900, , , H.Merijn Brand, /home/merijn, /bin/tcsh
lt09:/home/merijn 102 > perl -le'$,=", ";print getpwnam "hcgdft"'

lt09:/home/merijn 103 >
-->8---

So getpwnam returns an array if the user is found and valid, otherwise it's empty. No need to open a file.

So given $user, $password, and $email come from your web form:

--8<--- from your code
# how do i set the user id here.

@usr = getpwnam $user;
$usr[0] eq $user or die "This user is not known to this system\n"; # Use anything else for die if you don't want to die

$pwd = (getpwuid ($user))[1];

if (crypt ($word, $pwd) ne $pwd) {
die "Sorry...\n";
}
else {
print "ok\n";
}
-->8---

Still that simple. Sooo, turning that into your sub:

--8<---
sub verify_user ()
{
my @usr = getpwnam $user;
$usr[0] eq $user && # This user is not known to this system
crypt ($password, $usr[1]) eq $usr[1] and return $email;

error (2, "Failed to authenticate: incorrect username or password");
} # verify_user

verify_user ();
--8<---

Enjoy, Have FUN! H.Merijn
Enjoy, Have FUN! H.Merijn
Reply
Marvin Strong
Honored Contributor

тАО03-30-2004 08:00 AM

тАО03-30-2004 08:00 AM

Re: A perl script that interacts with user authentication.


Here is my hack.

verify_user( $password, $user);

sub verify_user {
my ($pass, $email);
my ($vuser, $guess) = @_;


This failed because you passed password and user backwards into the sub routine.

You needed to do it in this order.
verify_user($user, $password);
($vuser, $guess) = @_;

For example:

verify_user(mstrong, test);

sub verify_user {
($vuser, $guess) = @_;
would do the following
$vuser = mstrong; $guess = password;


As for it being portable, yeah I agree it could have been much better.
You would also need to change /etc/shadow to /etc/passwd. And it will not work on a HPUX trusted machine.

The getpwnam way is the best, wish I would have known about it back when I wrote this kludge. But this was my first major perl project.





Reply
Marvin Strong
Honored Contributor

тАО03-30-2004 08:04 AM

тАО03-30-2004 08:04 AM

Re: A perl script that interacts with user authentication.


$guess = password;
should be
$guess = test; in my example above.

was in a hurry and didnt proofread it sorry.


0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО03-30-2004 08:06 AM

тАО03-30-2004 08:06 AM

Re: A perl script that interacts with user authentication.

You have to use the function on hp-ux becasue if the system is trusted, there is no password information in /etc/passwd

Three possible authenthication scenarios in HP-UX

/etc/passwd
/etc/shadow #this is an available add in product
Trusted System # lots of little files for passwords.

You do get your points. I'm going to try this stuff out and the thread will be pinged to the top with actual error messages if the code fails.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.