Re: Web based password changer
On Thu, Jan 22, 2004 at 10:04:48PM -0500, Tom White wrote:
> Dear List,
> I'm looking for a decent, secure, web based password changer for
> user accounts. Something that I can install on a debian box with a
> minimum amount of tweaking, and that isn't really any less secure than
> a shell user changing their password locally over ssh. Is there
> anything out there that someone has had good experiences with?
If you're storing passwords locally, poppassd is a good back-end for
your script, so that the web password changer doesn't need to run with
elevated privileges. If you're running a nonstandard PAM config, you
should use the poppassd currently in unstable because of bug #156971.
I've attached a slightly cleaned-up version of the password changer that
we use. It's written to update passwords stored in LDAP, but you'd just
have to change the &changepass($$$$) function to make it work with
poppassd. The password changer was explicitly designed to run without
any special privileges or tokens.
(If I had more time tonight, I'd make the &changepass change myself,
William Aoki KD7YAF firstname.lastname@example.org /"\ ASCII Ribbon Campaign
\ / No HTML in mail or news!