Okay, this is a DIRTY HACK that I came up with
I am not a regular coder, so please weigh the relevant security considerations
<?php
$cmdstr = 'echo ' . $_POST['user'] . ' ' . $_POST['pass'];
$cmdstr .= ' | /home/didar/pam_auth -n common-auth ';
exec($cmdstr,$read);
if (strstr($read[0],"OK")) {
echo "Success";
} else {
echo "Failed";
}
?>
The code above makes use of the "pam_auth" or "squid_pam_auth" helper program from Squid package. Go to the following link for more information about it -
http://devel.squid-cache.org/hno/pam_auth-2.0.txt
WARNING: This is simply a hack. Always USE SSL/TLS in the orignating submit form. Also, always do sanity checks on the user input data.
posix_getpwnam
(PHP 4, PHP 5)
posix_getpwnam — 指定した名前のユーザに関する情報を返す
説明
array posix_getpwnam ( string username )指定したユーザに関する情報を返します。
パラメータ
- username
英数字で表したユーザ名。
返り値
返される配列の要素は次のようになります。
表 255. ユーザ情報配列
| 要素 | 説明 |
|---|---|
| name | 要素 name はユーザ名を有しています。これは、通常、 実際の完全な名前ではなく16文字未満のユーザの"ハンドル名"となります。 この値はこの関数をコールした際に使用したパラメータ usernameと同じとする必要があり、 このため冗長な定義となります。 |
| passwd | 要素passwd には暗号化されたユーザのパスワードが含まれます。 シャドウパスワードを使用しているシステムでは、アスタリスクが代わりに 返されます。 |
| uid | 数値形式で表したユーザ ID。 |
| gid | ユーザのグループ ID。 実際のグループ名を調べたりそのグループのメンバーの一覧を 得るには関数 posix_getgrgid() を使用してください。 |
| gecos | GECOS は旧式の項であり、Honeywell バッチ処理プログラムの finger 情報フィールドを参照します。 しかし、このフィールドはまだ生きており、その内容はPOSIXで 規定されています。 このフィールドには、カンマで区切られた ユーザのフルネーム、オフィスの電話番号、家の電話番号に関する リストが含まれています。多くのシステムでは、ユーザのフルネーム のみが利用可能です。 |
| dir | この要素には、ユーザのホームディレクトリへの絶対パスが含まれています。 |
| shell | shell 要素には、ユーザのデフォルトシェルの実行ファイルへの絶対パスが 含まれています。 |
posix_getpwnam
Didar Hossain
06-Aug-2006 10:50
06-Aug-2006 10:50
bau at kg-fds dot de
19-Feb-2006 02:29
19-Feb-2006 02:29
Oh I forgot the following:
to change a Users password via PHP,
you can use the following (under Linux with installed Samba):
exec('echo -e "'.$oldpassword.'\n'.$newpassword.'\n'.$newpassword.'
"|smbpasswd -U'.$user.' -s')
The exec-command returns ""
if an error occured (then see the error_log of the web-server)
or a message "The password has been changed".
Good luck.
Baumgrtner
bau at kg-fds dot de
19-Feb-2006 02:22
19-Feb-2006 02:22
Hello, I've tried another, more easier way to check passwords than checking it to a pop3-server. If you are running a samba-server or a Windows PDC, so you can try to connect with the username/password you want to check to the netlogon of this server:
if (exec('echo "exit"|smbclient //server/netlogon -U'.$user.' '.$pass)=="") { ... }
If the username/password doesn't match, then the exec-command under LINUX returns an error.
Good luck
Baumgrtner
bau at kg-fds dot de
15-Feb-2006 04:24
15-Feb-2006 04:24
If you are running a pop3-daemon, so you can do authentification on pop3 by using fsockopen :-) and checking whether it returns +OK or -ERR
corychristison at lavacube dot net
17-Oct-2004 08:33
17-Oct-2004 08:33
For those of you who are writing daemons with PHP and are one for security. This function will not return any info if you have called PHP's chroot() function.
Took me a few minutes why it wouldn't find the user it was searching for.
30-Jun-2004 09:48
Use the PHP PAM module
http://www.math.ohio-state.edu/~ccunning/pam_auth/
marcus at nospamsynchromedia dot co dot uk
24-Aug-2002 05:12
24-Aug-2002 05:12
Given a non-existent username, this function returns a boolean FALSE.
perreal at lyon dot cemagref dot fr
19-Apr-2002 12:47
19-Apr-2002 12:47
To check passwords on a Unix-box, look at the mod_auth_external module for Apache, it uses external programs to do the real job. The server won't ever read the encrypted password.
One of them, pwauth, can be configured to use PAM or whatever is used on your system. Users that can run this program are configured at compile time. And this program can be called from PHP with exec(...).
vision_1967 at hotmail dot com
21-Nov-2001 04:23
21-Nov-2001 04:23
I needed to get access to the user information to do login/validation via an SSL connection and encountered the same problem with receiving '*' in the password field. After checking the documentation on posix_getpwnam, I saw a previous solution involving coding a C program. This was a bit bulky for me so I came up with my own solution.
Variations on this theme can probably be done to make the solution more programmer/reader friendly, but the way I did it accomplished the task that I needed to do.
IF the information you need to get from posix_getpwnam comes from a host participating in an NIS network, you can accomplish the same thing with the following command:
$autharray = split(":",`ypmatch $USER passwd`);
(pretty long explanation for such a short solution huh?)
You'll have to get at the fields by their index number ($autharray[0], $autharray[1], ...) using this method.
To create an associative array that is plug-in compatible with the posix_getpwnam function, you'll probably need to use the 'list' specifier to do the assignments.
I hope this helps someone.
--S
darryl at pointclark dot net
18-Oct-2001 02:43
18-Oct-2001 02:43
If you need to validate a *real* unix password on a system using shadowed passwords, the posix_getpwnam() function in PHP won't work (as mentioned, 'x', or '*', will be in the password field).
I have a need to verify a user/pass within PHP (using SSL!). I don't know if this is the best way, but it's what I'm doing at the moment (works well!).
First, you need some help from the OS. I wrote a tiny C utility that does the shadow look-up for me... It requires root access to read /etc/shadow. So after you compile (gcc -O2 -s -o spasswd -lcrypt spasswd.c), you need to either use sudo to run it, or
# chown root spasswd && chmod u+s spasswd
To code that I'm using to authenticate a user/pass from PHP looks like:
function Authenticate($realm)
{
global $PHP_AUTH_USER;
global $PHP_AUTH_PW;
if(!isset($PHP_AUTH_USER))
{
header("WWW-Authenticate: Basic realm=\"$realm\"");
header("HTTP/1.0 401 Unauthorized");
return false;
}
else
{
if(($fh = popen("/usr/sbin/spasswd", "w")))
{
fputs($fh, "$PHP_AUTH_USER $PHP_AUTH_PW");
$r = pclose($fh);
if(!$r)
return true;
}
}
header("WWW-Authenticate: Basic realm=\"$realm\"");
header("HTTP/1.0 401 Unauthorized");
return false;
}
The C source for spasswd.c:
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <crypt.h>
#include <shadow.h>
static char salt[12], user[128], pass[128];
void die(void)
{
memset(salt, '\0', 12);
memset(user, '\0', 128);
memset(pass, '\0', 128);
}
int main(int argc, char *argv[])
{
struct spwd *passwd;
atexit(die); die();
if(fscanf(stdin, "%127s %127s", user, pass) != 2)
return 1;
if(!(passwd = getspnam(user)))
return 1;
strncpy(salt, passwd->sp_pwdp, 11);
strncpy(pass, crypt(pass, salt), 127);
if(!strncmp(pass, passwd->sp_pwdp, 127))
return 0;
return 1;
}
Hope this helps someone...
sezery at damla dot net
04-Oct-2001 06:09
04-Oct-2001 06:09
User and group functions do not work on recent Redhat systems since these functions are based on /etc/group file but new redhat does not put group members' list into this file. Instead you need to examine /etc/passwd file and find members of a group by checking group id.
rcgraves+php at brandeis dot edu
22-Feb-2000 12:35
22-Feb-2000 12:35
Returns same array as posix_getpwuid; you just give it the name rather than number.