: Remote Password Changes - Security Issues?

: Remote Password Changes - Security Issues?

Post by Steve McCulla » Fri, 23 Aug 1996 04:00:00


I am pondering the security issues of writing a remote-password changing
utility.  The situation is this: we support a student computing facility
at a university.  The student computing resources include a UN*X box
(Linux), and a Novell server.  Passwords are not neccessarily synchronized
on both servers, although usernames are.

My question is this:  if I write a utility to allow a user to change
his/her password on the UN*X account *FROM* their login session on
Novell, what is the safest implementation for such an app?  I plan to
do authentication on the local login session, then allow a password
change on the corresponding UNIX account via a direct write to the
/etc/passwd file.

Is this incredibly stupid, or can it be done safely?  Other thoughts:

- only allow (invisible) syncronization from the Novell bindery p/w object
  to the UNIX /etc/passwd file (ie. User invokes an automatic process, with
  no opportunity for input)?
- existing apps to do this?
- use RPC's?

Any thoughts welcomed.


  Richard Ivey School of Business  Office: Rm 55A WBS                      
  University of Western Ontario    Phone : (519) 661-2111 x 5134            


1. .htaccess and session password changing issues

Solaris 5.7
Apache 1.3.19

I have a set of pages protected by a .htaccess file.

Everything works fine.

Now,  I have a cgi script which changes the password used by the
.htaccess file every hour (the script rewrites the .htaccess file).
This works fine too.

When a user establishes a session through her browser i.e.
authenticates with the server and the session lasts for more than one
hour the password to access the pages changes.  This then causes
access problems with the user being prompted to log in again.  In fact
each different page they visit after this point  generates a "password
mismatch' error.

It is as if the browser is storing the original authentication details
somewhere and not letting go of them even though a new session has
been authenticated for.

Is there a way to get the browser to accept the fact that the password
has changed server side?  Do all browsers handle the authentication
process the same?  Are there any docs about this on the web anywhere?

Thanks for your help...


2. Dual boot Solaris/Win.95

3. Password Security -- Change Frequency

4. Perl5 and CGI

5. how does the security group change user's password?

6. QUESTION: Imake and customization

7. Remote password changing w/linux


9. Frequency of password changes and security

10. Remote Password Change

11. Changing password length in BASE security

12. 5.0A NIS Enhanced Security - Change Password?

13. remote tapes and changing passwords