editing/viewing password files

qwertyjjj · 08-09-2009, 08:31 AM

I created a password file for use with ncsa_auth in squid.
Firstly, is there a way to view the passwords in the file or are they all encrypted?
Secondly, is there a way to get squid to reauthenticate the user after 24 hours?

Meson · 08-09-2009, 10:25 AM

I can't speak for your particular password file. But the passwords in pwfiles are usually hashed. It's a one way encryption. You can't get the password by knowing the hash, you can only get the hash by knowing the password.

qwertyjjj · 08-09-2009, 10:35 AM

Quote:

Originally Posted by Meson

I can't speak for your particular password file. But the passwords in pwfiles are usually hashed. It's a one way encryption. You can't get the password by knowing the hash, you can only get the hash by knowing the password.

So, if you forget the password in that file for a login, what can you do? Only reset it? You can never view it?

How can you delete users from password files? Is it a simple case of using the vi editor? This is a htpasswd file for use with squid and ncsa_authentication.

repo · 08-09-2009, 10:43 AM

Quote:

So, if you forget the password in that file for a login, what can you do? Only reset it? You can never view it?

That's the whole point of passwords, no?

Quote:

How can you delete users from password files?

userdel or deluser

Meson · 08-09-2009, 11:44 AM

Quote:

Originally Posted by qwertyjjj

So, if you forget the password in that file for a login, what can you do? Only reset it? You can never view it?

Yes, if you forget the password you can only reset it. If you REALLY want to retrieve the password if you forget it, you can write a wrapper for htpasswd (I think that's the name of the command, for apache at least). The wrapper will read the password from STDIN, pass it to htpasswd as normal, but also store it somewhere else - in plain text or some sort of encrypted format of your choosing.

Quote:

Originally Posted by qwertyjjj

How can you delete users from password files? Is it a simple case of using the vi editor? This is a htpasswd file for use with squid and ncsa_authentication.

I think there are some commands for this, but you can also remove users from the file manually.

Quote:

Originally Posted by repo

userdel or deluser

These are for system users. I don't think they are the are the commands to do what he wants.

chrism01 · 08-09-2009, 06:45 PM

http://httpd.apache.org/docs/2.0/programs/htpasswd.html

qwertyjjj · 08-09-2009, 07:34 PM

Can htpasswd be issued by php?
ie users can reset their passwords if needed through a php script changing the value in a passwd file currently edited by:

htpasswd /etc/squid/squid_passwd www

chrism01 · 08-09-2009, 07:37 PM

So long as its running as the owner of the file, probably apache. Note that you may have privileges issues as apache drops privs on the child processes that do all the work.
Have a good read of the Apache site I referenced.

qwertyjjj · 08-09-2009, 07:39 PM

Quote:

Originally Posted by chrism01

So long as its running as the owner of the file, probably apache. Note that you may have privileges issues as apache drops privs on the child processes that do all the work.
Have a good read of the Apache site I referenced.

ok - will do.
But does it have to be issued through php using the system command or can you just edit using other methods?

chrism01 · 08-09-2009, 07:57 PM

Well, you can get Apache to call a prog in any lang if you set up the cfg correctly ... and most lngs will have more than one way of calling an external prog like htpasswd.

eg in Perl you have

system()
`xxx` (backquotes)
qx(blah) (similar to back quotes)

and so on. I'm fairly sure php has more than one method, but I'm not a php guy.
PHP manual:
http://www.php.net/manual/en/