Thanks to all who repsonded. Since everyone had somehting a little bit
different to say, I have included their remarks below their email. I have
decided to use the getprpwent/setprpwent solution since I have that almost
finished. The Perl/Expect (or Net::Telnet) solution actually sounds better
to me. If I get time, I may rewrite the CGI using that solution.
wmills_at_WellsFargo.COM:
This is probably a REALLY bad idea. If you need C2 security, you probably
don't want to do this.
MikeSAFH_at_aol.com:
I implemented a password change request form using Perl and Expect. The Perl
script would take the form input from the web and fork a copy of expect out;
expect would then su to the user (thus verifying the current password) and try
to change password. You can listen for error messages and report back too.
This way lets you do the whole password thing without creating any password-
containing temp files.
I'd mail them to you but I no longer work where I set those up...
Keith Piepho <kap_at_uakron.edu>:
Yes we implemented much as you are trying to do, with
getprpwnam/putprpwnam. Not horrible, but not straightforward either.
Unless you find a place that all the fields are well documented, which I
never did. A good bit of care should be taken in examining the differences
between the 'flag' versus the 'field' parts of the record, and how they
interact. Also, some careful examination of what fields should be
queried/set (like fixing the time-password-last-changed field, etc.) and
which should be left alone.
>Can acceptable_password check the passwords in pwdict?
You can set up code to do this yourself, as the routines are/can be set up
to call /tcb/bin/pwpolicy (a shell script you can modify to do your own
checks). A look at the comments in this file, and in "man putprpwent" can
get you started.
Simon Greaves <Simon.Greaves_at_usp.ac.fj>:
We're looking into it, but I was planning on using perl's Net::Telnet
module or expect within some cgi, idea being to mimic the user logging
in interactively and typing 'passwd'. The user would need to supply
their username, old password and new password to a form, the CGI for
which will open a telnet connection, attempt to login using
username/oldpassword, run 'passwd' using the newpassword supplied and
return some status to the user.
This should be more portable between different OS's (we use VMS - gack -
too) and has the advantage that it doesn't need to run as root which I
think you will to use the sia stuff.
If you're comitted to using sia, _and_ it insists on writing to the
'screen', one possible solution is to use a pty (psuedo-terminal). I'm
not really up on how you do this, but if you look at the expect source
code (I think bin/login et al use them too) you should find some
pointers.
Pete Simpson <psimpson_at_eclipseamerica.com>:
I don't know that I can help you (I'm not a programmer) but at one point
Digital shipped a "freeware" product for Web based admin of their DEC
Unix systems called "Electronic Locker". This was back in the 3.0 days.
Electronic Locker allowed sysadmins to change user passwords, create
accounts, etc. all via web forms. I don't know if it still exists or
not. As I recall, the Electronic Locker was written in TCL/TK, so I
don't know if that would be a problem or not.
Ellen Davis
Ellen.Davis_at_uc.edu
Received on Thu Feb 25 1999 - 15:48:27 NZDT