views:

34

answers:

2

I'm currently in the process of writing a CGI blog engine in C (fun project - don't hate! :) and I'd like to enable posting for every user that has a login on the machine the webserver is running on.

What is the correct way to see if a supplied login and password match against the systems login data?

Just to clarify, if I have a shell login "user" with password "pass" on the host machine, I'd like to be able to authorize myself with the same "user" and "pass" on the CGI page.

Disclaimer: I know that sending your shell login data unencrypted over possibly multiple routers to a CGI site is as secure as trying to make fire inside a filled gas-tank, but this is (and remains) a localized fun project :)

+1  A: 

You'll need libshadow to do you authentication. There's a convenient overview here.

http://www.linux.org/docs/ldp/howto/Shadow-Password-HOWTO-8.html

sleepynate
Well, the page says libshadow needs root access to operate... I do not think my CGI script is gonna be root... :/
LukeN
Well, you are asking your CGI script to do something very silly and unsafe... is it surprising that you'd need elevated privileges to access and decrypt /etc/passwd and /etc/shadow? The only other option is to do what other systems do, and that's daemonize a process that DOES use libshadow, and have your CGI run credentials through your daemon as a regular user.
sleepynate
Other than that, perhaps take a look at how CGIpaf does it:http://www.wagemakers.be/english/programs/cgipaf
sleepynate
As the PAM idea doesn't seem to apply to CGI, I'll see what I can do with libshadow.. even if it means having to write some daemon - If I wasn't in for the pain, I would't write this whole stuff in C :)
LukeN
Indeed. There are very good reasons why what you would like to do here does not exist :)
sleepynate
A: 

You could use PAM, which is a C library. There are bindings for other languages too.

unbeli
Obviously PAM is the best way to write authentication-related applications, but I wonder how one can use it in CGI scenario. I mean, PAM application cannot simply call `pam_set_item(pamh, PAM_AUTHTOK, password)`, these things have to be supplied through application-defined callbacks. But CGI process will die before receiving user answer, and there is no way to restore full PAM context on form submit. I can only think about storing {PAM question -> user answer} mapping somewhere, but this looks like big ugly hack. Correct me if I wrong.
rkhayrov
I would anyway do a separate daemon to handle authentication. Oh wait, why not use SASL then?
unbeli