Password management -- description and installation

This package contains modified htpasswd and a perl script which allows to change user password and partially administer access rights from any WWW browser. It works both over normal http as well as over https.

The scripts were created by Z. Wagner -- Ice Bear Soft. It is provided absolutely without any warranty.

Requirements

EMX 0.9c or higher is required. If Apache 1.3.x runs on your computer, you certainly have correct version of EMX

The script requires perl. It was tested with Perl 5. However, the script is not object oriented and does not require sockets, therefore it should also work with Perl 4.

The script requires module ZWurl.pm from IceBearSoft Perl Package (written by me). This package is not available yet (because documentation is not finished) but will be freely available from http://members.xoom.com/z_wagner/. I placed the file to the cgi subdirectory of this package. Make IceBearSoft subdirectory in your perl lib directore and move the module there.

Instalation

Installation requires the following steps:

  1. With standard htpasswd create your user file with account for Administrator (the name is case sensitive) and make your group file
  2. Make the directory with index.shtml and subdirectory cgi available to your Apache server. The easiest way is to place it to the document tree but it may be potentially dangerous. I suggest to have such types of documents in separate directories and use Alias. Access to these directories must be controlled by the same user and group files and should allow access to any valid user. The configuration directives may look as follows (they are also distributed in file passwd.conf): 
    Alias /passwd @@ServerRoot@@/securedocs/passwd

<Directory @@ServerRoot@@/securedocs/passwd>
Options IncludesNOEXEC
DirectoryIndex index.shtml
AllowOverride none
AuthGroupFile @@ServerRoot@@/security/groups
AuthUserFile @@ServerRoot@@/security/users
AuthName "Password management"
AuthType basic
require valid-user
</Directory>

<Directory @@ServerRoot@@/securedocs/passwd/cgi>
Options ExecCGI
AddType application/x-httpd-cgi PL
</Directory>
    Notice that the directory requires server side includes and the cgi defines PL as an extension designating CGI script. I have good reasons why such extensions are not recognized as scripts in other directories.
  3. Later it will be necessary to export the server root directory. Be sure that you have setenvif_module and specify (after loading this module): 
    SetEnv SERVER_ROOT @@ServerRoot@@
    (Replace @@ServerRoot@@ with the real directory.)
  4. Password management through normal http may be intercepted. It is therefore better to use https. If you have mod_ssl, you can force its usage by SSLRequireSSL or SSLRequire.
  5. You may have pseudo-users. Such a user name will be shared by several users. These users should not be allowed to change the password. It is better to modify the access to require group trusted. Group trusted then must contain names of users who can change their passwords.
  6. Program wwwhtpasswd.exe may either remain in the cgi subdirectory or may be placed to a directory along your path (this may be dangerous) or the full path will have to be specified in passwd.pl.
  7. The first line in passwd.pl must specify the executable of perl interpreter. In my computer it is perl5.exe and it is located in a directory listed in PATH. The first line is therefore #!perl5. Change it according to requirements of your system.
  8. The beginning of passwd.pl defines a few variables containing the paths to the group and user files and to wwhtpasswd.exe. Variable $url contains the URL of the password changing form. If you have not changed the URL in the Alias statement you need not change it.
  9. Restart Apache and try it.

Usage

Ordinary users can only change their passwords. The form only displays two fields for entering the new password. The user name is taken from the authentication variables. Since the directory is protected be the same user file, the user had to specify his or her old password. After changing the password the browser will complain that authorization failed. Some browsers enable to log on again with the new password. Some browser may be so confused that it is necessary to close all instances of the browser and then try again with the new password.

Administrator can add and delete users, assign users to groups and change password for any user. The forms are intuitive and do not need explanation. Due to a bug some fields have space for more items...

Problems

For security reasons the script verifies whether it is used from the form of the same server. Unfortunately some transparent caches may remove the Referer field. The test begins with the following line: 

if ($ENV{'REQUEST_METHOD'} != 'POST' || !$me || !$referer || index($me, $referer) < 0) {
It is not wise to remove the test for Referer but you can allow access without this field for specific users and IP addresses.

There is still possibility that a malicious user can use some other tool which can set any Referer field and send anu data. Therefore the script again verifies the user name and ignores all CGI variables which might have been added.

Forgotten password

If a user forgets his or her password, he or she cannot access the password changing form. Adminstrator can set a new password for that user without knowing the old password.

If Adminstrator forgets his or her password, no one can change it from the form. It is, however, possible to use standard htpasswd.exe which can set the new password without knowing the old one.