PHP/PAM to change user password?
Are there any working packages to change a linux user passwords using PHP?
I\'ve tried using PECL:PAM but theres an error when it tries to change the password.
E
-
You could use RSBAC passwords.
$ret = system("echo \"newpass newpass\" | rsbac_password -n"); if ($ret) echo "fail."; else echo "done!";So much easier.
讨论(0) -
Are there any working packages to change a linux user passwords using PHP?
This is really, really dangerous. Assuming you understand the risks then you'll realise that you need to build a number of constraints before applying the change which must be implemented in the privilege level which allows passwords to be changed - i.e. the code to run this must be a standalone executable with either setuid executoin or called via sudo from your php code.
Of course there's no reason that the standalone code couldn't be written in PHP, other than the fact that the (at least, the last time I looked at this) the PAM bindings in PHP were rather immature,
You might want to have a look at the chpasswd program (available on Redhat and some others distros) or use proc_open('/usr/bin/passwd'... and read and respond to the prompts correctly.
HTH
C.
讨论(0) -
In addition to the answer posted by wag2369, make sure to perform the following:
Install pear which is the extension manager for PHP:
yum install pearInstall pam-devel from yum
yum install pam-develInstall the PHP PAM extension
pecl install --alldeps PAM--alldeps: Means automatically install all dependencies
Modify the file
/etc/php.iniand enter the following:extension=pam.so pam.servicename="php"Do the following to allow PAM php service:
cd /etc/pam.d ln -s login /etc/pam.d/phpRestart apache:
/etc/init.d/httpd restart/etc/shadow should be readable (this is a security hole, rethink please)
chmod g+r,o+r /etc/shadowInstall expect if not already installed
yum install expectFix the bugs in the code posted by wag2369 or just copy the modified code below: Use array_push($error,..) instead of array_push(&$error, ...) 'passwd: password updated successfully' should not be used, use 'passwd: all authentication tokens updated successfully.' to check instead.
<?php $messages = array(); function change_password ($user, $currpwd, $newpwd) { // Open a handle to expect in write mode $p = popen('/usr/bin/expect','w'); // Log conversation for verification $log = '/tmp/passwd_' . md5($user . time()); $cmd = ""; $cmd .= "log_file -a \"$log\"; "; // Spawn a shell as $user $cmd .= "spawn /bin/su $user; "; $cmd .= "expect \"Password:\"; "; $cmd .= "send \"$currpwd\\r\"; "; $cmd .= "expect \"$user@\"; "; // Change the unix password $cmd .= "send \"/usr/bin/passwd\\r\"; "; $cmd .= "expect \"(current) UNIX password:\"; "; $cmd .= "send \"$currpwd\\r\"; "; $cmd .= "expect \"Enter new UNIX password:\"; "; $cmd .= "send \"$newpwd\\r\"; "; $cmd .= "expect \"Retype new UNIX password:\"; "; $cmd .= "send \"$newpwd\\r\"; "; $cmd .= "expect \"passwd: all authentication tokens updated successfully.\"; "; // Commit the command to expect & close fwrite($p, $cmd); pclose ($p); // Read & delete the log $fp = fopen($log,'r'); $output = fread($fp, 2048); fclose($fp); unlink($log); $output = explode("\n",$output); return (trim($output[count($output)-2]) == 'passwd: all authentication tokens updated successfully.') ? true : false; } function process_post() { if ((!isset($_SERVER['HTTP_REFERER'])) || (strpos($_SERVER['HTTP_REFERER'], $_SERVER['SCRIPT_NAME']) === FALSE)) { echo "GO AWAY!"; exit(); return FALSE; } global $messages; $username = trim($_POST['username']); $password_current = trim($_POST['password_current']); $password_new = trim($_POST['password_new']); $password_confirm = trim($_POST['password_confirm']); // Check for blanks if ($username == '' || $password_current == '' || $password_new == '' || $password_confirm == '') { array_push($messages, "ERROR: You cannot leave any field empty."); return FALSE; } // Check username if (!ctype_alnum($username)) { array_push($messages, "ERROR: You've entered an invalid username."); return FALSE; } // Check to see if new password is correctly typed if ($password_new != $password_confirm) { array_push($messages, "ERROR: New Password and Confirmation do not match."); return FALSE; } // Check if current password is valid (not really neccessary) $error = ''; if (!pam_auth($username, $password_current, $error, FALSE)) { if (trim($error) == "Permission denied (in pam_authenticate)") array_push($messages, "ERROR: Your username/password was not accepted."); else array_push($messages, "ERROR: " . $error); return FALSE; } if (change_password ($username, $password_current, $password_new)) array_push($messages, "Password Successfully Changed"); else array_push($messages, "ERROR: Password change failed."); } if ($_SERVER['REQUEST_METHOD'] == 'POST') process_post(); ?><html> <head> <title>Passwords</title> <style type="text/css"> body { font-family: Verdana, Arial, sans-serif; font-size: 12px; } label { width: 150px; display: block; float: left; } input { float: left; } br { clear: both; } .message { font-size: 11px; font-weight: bold; } .error { color:#C00; } </style> </head> <body> <h2>Change Passwords</h2> <form action="<?= $_SERVER['SCRIPT_NAME'] ?>" method="post"> <fieldset> <? if (count($messages) != 0) { foreach ($messages as $message) { ?> <p class="message<?= ((strpos($message, 'ERROR:') === FALSE) ? '' : ' error') ?>"><?= $message ?></p> <? } } ?> <label>Username: </label> <input type="text" name="username" value="halaluya" /><br /> <label>Current Password:</label> <input type="password" name="password_current" value="dev0te@m" /><br /> <label>New Password:</label> <input type="password" name="password_new" value="123" /><br /> <label>Confirm Password:</label> <input type="password" name="password_confirm" value="123" /><br /> <input type="reset" value="Reset" /> <input type="submit" value="Submit" /> </fieldset> </form> </body> </html>讨论(0) -
Changing PAM passwords from PHP directly, requires to much access to your system files and services. This is because PAM by default uses the pam_unix module, that stores user credentials in system files owned by root. A good way to overcome this problem, is to setup PAM to use the pam_ldap module. This way PAM with authenticate users using an LDAP server. Then from PHP you can bind to the LDAP server using the user credentials and change his password. Authorization for such a modification will can be taken care of by the LDAP authorization mechanism. (Your application should also enforce authorization rules, in order to provide layered security)
The above configuration is not trivial. You must first setup an LDAP server, then migrate all your user data from system files (passwd, shadow) to the LDAP directory. (there are automated tools for that). And finally you must install and setup the pam_ldap module. Any misconfigurations in the above process can lead to serious security issues.
Please, also note that this way you will be exposing the LDAP server to the web through your application. Any security issues that may affect LDAP authentication or authorization mechanisms will also affect your system security.
Resources:
Using LDAP to store POSIX accounts:
http://www.ibm.com/developerworks/linux/library/l-openldap/
Setup PAM to use LDAP for authentication:
http://wiki.debian.org/LDAP/PAM
讨论(0) -
After hours of research online, I wasn't able to find a super good option so I'm implemented this hack. It uses this article for changing passwords using PHP.
I'm also using the PECL:PAM package to add a little verification.
This page is on a secure HTTPS folder (automatic redirect via .htaccess)
<?php $messages = array(); function change_password ($user, $currpwd, $newpwd) { // Open a handle to expect in write mode $p = popen('/usr/bin/expect','w'); // Log conversation for verification $log = '/tmp/passwd_' . md5($user . time()); $cmd .= "log_file -a \"$log\"; "; // Spawn a shell as $user $cmd .= "spawn /bin/su $user; "; $cmd .= "expect \"Password:\"; "; $cmd .= "send \"$currpwd\\r\"; "; $cmd .= "expect \"$user@\"; "; // Change the unix password $cmd .= "send \"/usr/bin/passwd\\r\"; "; $cmd .= "expect \"(current) UNIX password:\"; "; $cmd .= "send \"$currpwd\\r\"; "; $cmd .= "expect \"Enter new UNIX password:\"; "; $cmd .= "send \"$newpwd\\r\"; "; $cmd .= "expect \"Retype new UNIX password:\"; "; $cmd .= "send \"$newpwd\\r\"; "; $cmd .= "expect \"passwd: password updated successfully\"; "; // Commit the command to expect & close fwrite($p, $cmd); pclose ($p); // Read & delete the log $fp = fopen($log,r); $output = fread($fp, 2048); fclose($fp); unlink($log); $output = explode("\n",$output); return (trim($output[count($output)-2]) == 'passwd: password updated successfully') ? true : false; } function process_post() { if ((!isset($_SERVER['HTTP_REFERER'])) || (strpos($_SERVER['HTTP_REFERER'], $_SERVER['SCRIPT_NAME']) === FALSE)) { echo "GO AWAY!"; exit(); return FALSE; } global $messages; $username = trim($_POST['username']); $password_current = trim($_POST['password_current']); $password_new = trim($_POST['password_new']); $password_confirm = trim($_POST['password_confirm']); // Check for blanks if ($username == '' || $password_current == '' || $password_new == '' || $password_confirm == '') { array_push(&$messages, "ERROR: You cannot leave any field empty."); return FALSE; } // Check username if (!ctype_alnum($username)) { array_push(&$messages, "ERROR: You've entered an invalid username."); return FALSE; } // Check to see if new password is correctly typed if ($password_new != $password_confirm) { array_push(&$messages, "ERROR: New Password and Confirmation do not match."); return FALSE; } // Check if current password is valid (not really neccessary) if (!pam_auth($username, $password_current, &$error, FALSE)) { if (trim($error) == "Permission denied (in pam_authenticate)") array_push(&$messages, "ERROR: You've username/password was not accepted."); else array_push(&$messages, "ERROR: " . $error); return FALSE; } if (change_password ($username, $password_current, $password_new)) array_push(&$messages, "Password Successfully Changed"); else array_push(&$messages, "ERROR: Password change failed."); } if ($_SERVER['REQUEST_METHOD'] == 'POST') process_post(); ?><html> <head> <title>Passwords</title> <style type="text/css"> body { font-family: Verdana, Arial, sans-serif; font-size: 12px; } label { width: 150px; display: block; float: left; } input { float: left; } br { clear: both; } .message { font-size: 11px; font-weight: bold; } .error { color:#C00; } </style> </head> <body> <h2>Change Passwords</h2> <form action="<?= $_SERVER['SCRIPT_NAME'] ?>" method="post"> <fieldset> <? if (count($messages) != 0) { foreach ($messages as $message) { ?> <p class="message<?= ((strpos($message, 'ERROR:') === FALSE) ? '' : ' error') ?>"><?= $message ?></p> <? } } ?> <label>Username: </label> <input type="text" name="username" /><br /> <label>Current Password:</label> <input type="password" name="password_current" /><br /> <label>New Password:</label> <input type="password" name="password_new" /><br /> <label>Confirm Password:</label> <input type="password" name="password_confirm" /><br /> <input type="reset" value="Reset" /> <input type="submit" value="Submit" /> </fieldset> </form> </body> </html>I also have this question/answer posted in https://serverfault.com/questions/150306/how-to-let-users-change-linux-password-from-web-browser/152409#152409
讨论(0)
加载中...
- 热议问题