Re: Web based password changer

[Will Aoki <waoki@umnh.utah.edu>]

On Thu, Jan 22, 2004 at 10:04:48PM -0500, Tom White wrote:
> Dear List,
> 
> I'm looking for a decent, secure, web based password changer for
> user accounts.  Something that I can install on a debian box with a
> minimum amount of tweaking, and that isn't really any less secure than
> a shell user changing their password locally over ssh.  Is there
> anything out there that someone has had good experiences with?  

If you're storing passwords locally, poppassd is a good back-end for
your script, so that the web password changer doesn't need to run with
elevated privileges. If you're running a nonstandard PAM config, you
should use the poppassd currently in unstable because of bug #156971.

I've attached a slightly cleaned-up version of the password changer that
we use. It's written to update passwords stored in LDAP, but you'd just
have to change the &changepass($$$$) function to make it work with
poppassd. The password changer was explicitly designed to run without
any special privileges or tokens.

(If I had more time tonight, I'd make the &changepass change myself,
but...)

-- 
William Aoki  KD7YAF  waoki@umnh.utah.edu  /"\  ASCII Ribbon Campaign
                                           \ /  No HTML in mail or news!
                                            X
                                           / \