PHP/PAM to change user password?

Question

Are there any working packages to change a linux user passwords using PHP?

I\'ve tried using PECL:PAM but theres an error when it tries to change the password.

E

Answer 1

Changing PAM passwords from PHP directly, requires to much access to your system files and services. This is because PAM by default uses the pam_unix module, that stores user credentials in system files owned by root. A good way to overcome this problem, is to setup PAM to use the pam_ldap module. This way PAM with authenticate users using an LDAP server. Then from PHP you can bind to the LDAP server using the user credentials and change his password. Authorization for such a modification will can be taken care of by the LDAP authorization mechanism. (Your application should also enforce authorization rules, in order to provide layered security)

The above configuration is not trivial. You must first setup an LDAP server, then migrate all your user data from system files (passwd, shadow) to the LDAP directory. (there are automated tools for that). And finally you must install and setup the pam_ldap module. Any misconfigurations in the above process can lead to serious security issues.

Please, also note that this way you will be exposing the LDAP server to the web through your application. Any security issues that may affect LDAP authentication or authorization mechanisms will also affect your system security.

Resources:

Using LDAP to store POSIX accounts:

http://www.ibm.com/developerworks/linux/library/l-openldap/

Setup PAM to use LDAP for authentication:

http://wiki.debian.org/LDAP/PAM