[NTLUG:Discuss] authentication in a script

Thu Apr 15 13:38:27 CDT 2004

Jack Snodgrass wrote:

>On Thu, 2004-04-15 at 11:46, fredjame wrote:
>
>  
>
>>Is it possible to use some existing system call (like login) to 
>>authenticate a user within a script (bash)?
>>    
>>
>
>
>With linux, almost anything is possible.... maybe hard.... but possible.
>
>first of all... what/why are you doing this exactly? if you want to run
>a command
>on a remote system and handle the userid/password stuff automatically,
>use 
>ssh with keys that don't use passwords. Once you have the keys
>generated, you can 
>do something like
>ssh remoteuser at remotesystem "ps -aef" 
>and it will login without a password ( if you used a null password in
>your key ) 
>and execute the ps -aef command. You can run almost any remote command, 
>pipe/grep the output and then run additional commands. 
>
>if you don't want to use this method and do need to validate the
>userid/password
>that a user gives you......
>
>I don't do this from bash... ( but I could....)  I have a php script (
>you could
>do it in perl but perl gives me a headache )  that takes the users
>userid and password and it logs them into the IMAP server. (Since a
>login 
>doesn't access any mail... it's relatively cheap performance wise. )  If
>they
>get a succesful login, they are authenticated ( and I store a cookie so 
>I only do this once a week per user ).... if the login fails, then they
>are 
>rejected. 
>
>This is a php snippet of the code:
>     $mbox = @imap_open ("{server:143}", $UserName, $Password);
>     if($mbox == false) {
>        print "Access denied. Invalid userid/password\n";
>        return 0;
>     } else {
>        $rc = imap_close($mbox);
>     }
>
>    // if they get here, they are valid and I set the cookie. 
>
>The question is... how do you want to store / get the userid / password.
>
>jack
>  
>
I have thought this one through a little further, and realize now that 
it is sort of silly, but I'll tell you what I was I thinking anyway.

What I wanted to do:
(1) I wanted to (semi) automate some processes (probably using expect) 
in conjunction with other servers/hosts.
(1-a) Unfortunately this could leave a little hole into the other 
servers/hosts should a locally authorized user leave a terminal open.
(1-a-i) I would have liked to include in the automation script a local 
authentication (i.e., check your local username/password) to help ensure 
that only locally authorized users can run the script.
(1-a-i-1) I know, hack the script and remove the authentication, etc. - 
this is where is starts to look really silly.
(1-a-i-1-a) If I really got insistent and wanted to do this, it would 
have to be in a compiled language (such as C) at a bear minimum.

So, instead of trying to snarl myself up in a complex, foolproof world, 
I'll just try to remember that most security breaches are inside jobs 
and user error, and go for something a little simpler like training.

Sorry, I guess I just had one of those moments.

-- 
...we are fellow passengers...