Date: Tue, 14 Dec 2004 13:13:07 -0600 From: Joshua Lokken <joshua.lokken@gmail.com> To: Alexander Chamandy <bsdfreak@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: web-based password checking tool? Message-ID: <bc5b6385041214111377db8651@mail.gmail.com> In-Reply-To: <f420b2a1041214110450801771@mail.gmail.com> References: <20041214153502.D24270@cactus.fi.uba.ar> <f420b2a104121410416be81e33@mail.gmail.com> <20041214154909.W24270@cactus.fi.uba.ar> <f420b2a1041214110450801771@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 14 Dec 2004 14:04:44 -0500, Alexander Chamandy <bsdfreak@gmail.com> wrote: > In that case, check out something like: > http://rucus.ru.ac.za/~bvi/utils/webpass/ > > "Web Pass is a CGI script which allows users on a system to change > their passwords via the web. This is useful for users with no shell > access to the machine, but who still have 'real' accounts for things > such as web space, ftp Samba and the like." > > I hope this helps! > > On Tue, 14 Dec 2004 16:02:46 -0300 (ART), Fernando Gleiser > <fgleiser@cactus.fi.uba.ar> wrote: > > On Tue, 14 Dec 2004, Alexander Chamandy wrote: > > > > > The solution I've seen people use in the past is Webmin > > > (http://www.webmin.com/), but I haven't heard great things about its > > > security. I would use it cautiously if you are looking for that > > > functionality. > > > > Webmin is a different thing. it allows for web-based administration, > > it isn't useful as a tool for users to change their passwords. > > In order to use webmin for that, I'd have to add a webmin user for > > every mail user and restrict the module set. It is just not worth it. > > > > I'm looking for something like some ISPs do: a form where you enter > > your username, your old password and your new one (twice, for confirmation). > > > > I think I can hack a quick CGI script which does that, then checks the > > parameters, and if everything is OK, hashes the new passwd and calls > > something like > > "echo ecnryptedpass | sudo pw usermod user -H 1" > > > > or something like that. But I prefer to use already made and tested > > solutions. > > > > > > > The problem I'd note is that in order to attain > > > convenience in the traditional sense, one must generally sacrifice > > > layers of security. In this case, allowing a web interface to change > > > users' authentication credentials provides risks (compromise, > > > information leakage, etc.) and rewards (enhanced usability for novice > > > users, added convenience). > > > > Exactly. But I think in this case is justified. We're talking about > > people who are not technical. It's the only way. Alexander, please do not top-post. http://www.html-faq.com/etiquette/?toppost -- Joshua Lokken Open Source Advocate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bc5b6385041214111377db8651>