Marc Zucchelli on 20 Jan 2006 16:57:30 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Programmers: PAM Authentication through a web application?


I am reinventing the wheel again, I am building a
webhosting control panel, and I would like users to
sign in with their FTP password.  I am trying to
figure out the best way of accomplishing this.

1.  I could keep an updated md5 hash of their password
in a database that I can authenticate against.

2.  I could set /etc/shadow to use md5 and
authenticate against that, this way the password hash
will only be stored in one place, which is good.  The
only problem is that:
echo "123456" | md5sum

gives me:

f447b20a7fcbf53a5d5be013ea0b15af

But an md5 password of 123456 in /etc/shadow looks
more like this:

$1$IlxzSzzz$Iagtf0Kf88rsCAUXzUlKf1

How am I supposed to compare the two?

I know I could set /etc/shadow to use DES and compare
with perls crypt() function, but those DES passwords
seem so tiny and insecure.

3.  This brought me to PAM, I was skimming through the
application developers guide and it seems like PAM
INSISTS on 'prompting' the user for a password when
_it_ wants to.  The guide mentioned a conversation
function for working with different protocols, but
this all seems a bit much for a simple web
application.

I want to know if anyone had any thoughts on this,
thanks!

Marc


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug