Validating Unix users 3

[thendal]

Hi All!

Have anybody validated a unix user through perl.
I have a set users who have unix account. They were asked to login to webapps to identify themselves asked to enter thier unix login name & password. Is there a way i can validate this username/password against a password file.

Any advice will be appreciated.

Thank you,

 

[PaulTEG]

I wouldn't verify their webapps with their Unix password unless you have serious stringent controls in place, such as SSL, referers allowed etc.

If you're going this route anyway, you could probably use Expect (search.cpan.org), or Net::SSH

Without SSL I'd have thought that you're going to be transmitting the password in clear text over the net

HTH
--Paul

 

[thendal]

Thanks Paul, Unfortunately this will be one time validation coze there is no other source the users have to identify themselves...

Any how as per your advise i used Net::ssh

Here is the sample code i used to test

use Net::SSH:erl;
$host='pop.test.edu';
$user='username';
$pass='password';
$ssh = Net::SSH:erl->new($host);
$ssh->login($user, $pass);
$y=$ssh->cmd("pwd");

gave me error
"Selected cipher type not supported by server. at line 7"

server uses DH crypt as default....but while installing i didn't see an option for DH in NET::SSHerl

I had four options

[1] IDEA
[2] DES
[3] DES3
[4] Blowfish
[5] RC4

crypt::IDEA is default i went with default option.

Any advice will be more appreciated.

Thanks Again.

 

[PaulTEG]

Even using Net::SSH, unless you're going over SSL, you're still going to be transmitting usernames and passwords in clear text, unless you use some encryption algorithm on the client side, and then decrypt it in your script.

Problem: If someone gets your script at the client side, they're going to be able to work back to the usernames and passwords.

Can you get SSH & SSL installed on the webserver?

--Paul

 

[thendal]

Thanks paul, I did got the ssh and ssl on the webserver.

So i tried something like this in the command line

ssh username@pop.test.edu

the command asked for password and it worked.

But how can i make this work on a perl script i can issue command something like this in perl

system('ssh username@pop.test.edu')
but how i will pass the userpassword... or in other words

how to make system work for interactive mode.

Thank you.

 

[PaulTEG]

Use Net::SSH:erl as you were intending
--Paul

 

[nawlej]

you know, if you want to, Net::SSH:erl gives you the option to install all five by just typing 1 2 3 4 5 when you run the install. Might wanna give it a shot.

 

[PaulTEG]

All five ??? of what?
--Paul

 

[nawlej]

the cipher modules:

thendal said:

server uses DH crypt as default....but while installing i didn't see an option for DH in NET::SSHerl

I had four options

[1] IDEA
[2] DES
[3] DES3
[4] Blowfish
[5] RC4

crypt::IDEA is default i went with default option.

I was clarifying that you can install more than one when you install the module.

 

[thendal]

Th problem i am having right now when i run the script i am getting this error

"Selected cipher type not supported by server. at line 7"


Here is the sample code i used to test

use Net::SSH:erl;
$host='pop.test.edu';
$user='username';
$pass='password';
$ssh = Net::SSH:erl->new($host);
$ssh->login($user, $pass);
$y=$ssh->cmd("pwd");



So i tired to use the other option using perl system function.

system `ssh user@pop.test.edu`

problem with this i don't know how to pass the password in an interactive mode...

Thank you.

 

[nawlej]

system `ssh user@pop.test.edu`

that wont make it interactive.....that just runs the command on your system, and nothing else....no output no nothing

a little trick I learned to make something interactive quiet running though:

system((echo "$password") | ssh user@pop.test.edu);

 

[PaulTEG]

Mighty nice, with the echo, and the password and the thing ...

--Paul

 

[thendal]

i tried

$password="pass";
$t=system((echo "$password") | ssh user@pop.test.edu);
print "Success : $t";

gave me an error
syntax error at line 2, near "echo "$password""
Execution of command.pl aborted due to compilation errors.

is there any other options ....

 

[nawlej]

oopps

system("(echo $password) | ssh user@pop.test.edu");

 

[nix45]

If you don't want to keep the passwords stored in your script, you can set up password-less logins via ssh.

http://www.hackinglinuxexposed.com/articles/20021211.html

ChrisP, RHCE

 

[nawlej]

DOes that work with ssh2 also?

 

[nix45]

Yup, v1 and v2. Also, you don't have to open the whole box like that if you don't want to, you can just restrict certain users to running certain commands via ssh with no password.

ChrisP, RHCE

 

[thendal]

Thanks Chris & nawleg, I am not storing userpassword.

All i am looking for whether the user have a unix account in the machine. where the user comes to a webapps and issues his unix username and password and i have to validate it against machine and if they are valid return yes he/she is good to login.

it has to be done through a web apps...

i tried nawleg method
$password='pass';
$t=system("(echo $password) | ssh user@pop.test.edu");
print "Success : $t";

i got something like this

Pseudo-terminal will not be allocated because stdin is not a terminal.
and also it prompts for password.....

when i entered the password it logs me into the system ...
but the systems logged in screen became unstable ......i have to kill the terminal to get out of it....

 

[nix45]

Here are some simplified instructions for setting up the password-less ssh logins that I wrote...

Connnect FROM comp = Tiger
Connect TO comp = Lion


From Tiger...

ssh-keygen -t dsa
(when asked for location and password, just press enter)

scp ~/.ssh/id_dsa.pub root@lion:/root


From Lion...
cat /root/id_dsa.pub
ssh-dss AAAB3NzaC1kc3MAAACBAPDKnsR29YiaAgjBbqIGh/78NXjNRA3fwjMFVjv3WE9wLc8TUvxhE7lBk9kBbu2s5Ny4bvm5ZMREebKd1fsoAoXaXA8jgBb84jbsBu6QTBhFgH7iRHSCeogvirzV2EZtgsL0vQtvrVaTT5VeNgkPEPERLymGo2uJB7yrbNMkwyBxAAAAFQDxH4VVE6I0kob6zjFrgS5gPppGfwAAAIEAwwL1MWM16isiEpeJO+H9cBOcjBsHJsYzRAd5Z3kOV9DZ7ZhBK6Ljd+bk6zyEygcq6dXu1P1DqRlEUXtS9LxzO0pVsNZQFn0sf2fT/4ET4N7MbFiHJun1IfEfUV//NZJq8NX2GrN1lhmI9bhidNYMD+AJcLPn1ewh2XUxPn0NiIgAAACAMugkdgXuPwdMKLQmaZeb8ufCvrqN+rnAiBWmplOSvw3ccwN+Xjp5PHgnyn4CVkHo4q/AQYPJXJGePb1lt0BxyJri5aqvBWjq9SPnKyfQDPxaFuglbxt4d5hhMqtUZU3HnRR7QGJ3V6glydBB1ZlqExWWdgkqijyVY47wPFGdafY= root@tiger

Open id_dsa.pub with vi and prepend from=tiger

cat /root/id_dsa.pub
from="192.168.1.81" ssh-dss AAAAB3NzaC1kc3MAAACBAPDKnsR29YiaAgjBbqIGh/78NXjNRA3fwjMFVjv3WE9wLc8TUvxhE7lBk9kBbu2s5Ny4bvm5ZMREebKd1fsoAoXaXA8jgBb84jbsBu6QTBhFgH7iRHSCeogvirzV2EZtgsL0vQtvrVaTT5VeNgkPEPERLymGo2uJB7yrbNMkwyBxAAAAFQDxH4VVE6I0kob6zjFrgS5gPppGfwAAAIEAwwL1MWM16isiEpeJO+H9cBOcjBsHJsYzRAd5Z3kOV9DZ7ZhBK6Ljd+bk6zyEygcq6dXu1P1DqRlEUXtS9LxzO0pVsNZQFn0sf2fT/4ET4N7MbFiHJun1IfEfUV//NZJq8NX2GrN1lhmI9bhidNYMD+AJcLPn1ewh2XUxPn0NiIgAAACAMugkdgXuPwdMKLQmaZeb8ufCvrqN+rnAiBWmplOSvw3ccwN+Xjp5PHgnyn4CVkHo4q/AQYPJXJGePb1lt0BxyJri5aqvBWjq9SPnKyfQDPxaFuglbxt4d5hhMqtUZU3HnRR7QGJ3V6glydBB1ZlqExWWdgkqijyVY47wPFGdafY= root@tiger


cat id_dsa.pub >> /root/.ssh/authorized_keys



From Tiger...

Now you should be able to run ssh commands with entering a password...

ssh root@lion echo "success"
success

ChrisP, RHCE