LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Windows-based remote users ned to change password (http://www.linuxquestions.org/questions/linux-security-4/windows-based-remote-users-ned-to-change-password-241982/)

ooorah 10-12-2004 11:58 PM

Windows-based remote users ned to change password
 
I just started a WISP - because I needed another challenge... I'm only offering email service and internet access to my customers. So, when I set up a user account, I give the account a password and then configure the user's computer (usually Windows-based OS) with that password for email access - checking the "save password" check box.

But, how can I allow my customers to change their own passwords without using Secure SSH to login to the server? Preferably, I would like to use a hotlink on a website. Is this an easy set-up on Fedora? If not, then is there a software package that I could install to do this.

I am using Sendmail...

Thanks,
Tom

qwijibow 10-13-2004 09:19 AM

So what you are saying is you are usiing FEDORA linux as a mail server, and you want your customers to be able to change their passwords using a simple webpage on a web-browser interface ?

The obviouse sokution is to first install APACHE web server, and use a CGI script to change their password.
Use a simple Form that asks for $1 Username, $2 old password, $3 new password, $4 re-type new password.

then the CGI script runs the passwd command as the username entered in $1 (with password $2) and gives the program the new password in $3 and $4.

its very simple... HOWEVER..

a HUGE word of warning... CGI scipts are famous for being easy to hack. make sure the cgi scripts run with minimal rights, and are protected from code injection exploits.

ooorah 10-13-2004 09:32 AM

Thanks for the suggestion. But, I am no longer a programmer (I used to hobby around as one) and was hoping to find something free online that I could incorporate. Thanks for the warning, too. That has me scared enough to not even try to write the script!

Anything else?

qwijibow 10-13-2004 11:58 AM

Okay...

then have a look at this project....
http://www.rajeevnet.com/linux/passw...sswd_sync.html
its a webpage that is diesigned for changing UNIX and Windows NIS passwords. but you can edit it to Only change the Unix (Linux) password.
it may take a little tweaking (and the website need re-designing.. its UGLY) but its easy enough.

ooorah 10-13-2004 05:39 PM

This looks good. Thanks for the link. I'll give it a try, but how much of a security risk is this? The instructions on that site that is poses a security risk!

I'm still open to other suggestions or links to other projects....

Thanks again

qwijibow 10-13-2004 06:57 PM

no form of remote login is secure.
loging via telnet means sniffers can get passwords...
logging in via secure shell (ssh) is not much better.... ssh hashes passwords, but the hashed passwords can still be stolen and used to loggin just like a plain text password.

this is even worse over wireles networks... in conventional ethernet, the Hum / Gateway has to be hacked to sniff passwords... or a machine under the controll of the attacker must be attacked to the wire.... but in wireless network, anyone in range can steal passwords.

its impossible to make this secure.


All times are GMT -5. The time now is 03:59 AM.