[unisog] web based passwords

Daniel P. Martin dmartin at uark.edu
Fri Dec 7 02:58:01 GMT 2001


Lance:

We have a home-grown web application that addresses this issue on several
different platforms.  The client authenticates via the same University ID # and
PIN used for things like registration-by-phone; they're then given a choice of a
variety of platforms (OS/390-RACF, dial-up RADIUS authentication, central LDAP
directory, a couple of different free-standing unixes, and/or Windows AD) to
request a password change or reset on.  The web app verifies the validity of the
person/ID/platform combination and communicates to an agent on the platform[s]
to be updated.

It's a bit of a "Rube Goldberg" engine, but it's been working in various forms
for about 5 years.  The UNIX agent is adapted from the Qualcomm "poppassd" code
and has proven to be well-behaved -- I have about 28,000 UNIX/LDAP accounts that
this is enabled for.

If you'd like more detailed info, you're welcome to contact me directly for
follow-up discussion.

-dan.

Daniel P. Martin
Manager, Open Systems / IT Security
University of Arkansas - Computing Services
dmartin at uark.edu

On Thu, 6 Dec 2001, Lance Gjerstad wrote:

> We have a large number of users who use our Unix system for e-mail, but
> who don't have the knowledge to log into the system and don't care to
> take the time to learn.  Unfortunately, this means they either have to
> call the computer center to have their passwords changed or, as is more
> likely, just never change their passwords.  We've been looking into
> various solutions, such as enabling some sort of web interface to this,
> and likely other commands.  Does anyone know of a secure and affordable
> solution for this?  We'd prefer if the CGI script could become the user
> without having to be suid root, but it doesn't appear that Unix allows this.
>
> Lance Gjerstad
> Intermediate Unix System Administrator
> Kettering University
>



More information about the unisog mailing list