Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / First Aid / December 2005

Tip: Looking for answers? Try searching our database.

Verify Linux Password

Thread view: 
Enable EMail AlertsStart New Thread
timothy.williams@comverse.com - 07 Dec 2005 17:43 GMT
I'm looking for the simplest way to verify a linux user password from
within a servlet.

My servlet receives the username and password as part of a login
request.  I need to
validate the password I receive against the password for that Linux
user.

I don't see anything with the Java API's for direct access to this.

This application is on a private network so no real need for complex
security.  I just
need to verify and get on with my business.

Any ideas?

Thanks!!

TRW
Reply to this Message
Gordon Beaton - 07 Dec 2005 17:15 GMT
> I'm looking for the simplest way to verify a linux user password from
> within a servlet.
[quoted text clipped - 9 lines]
>
> Any ideas?

JNI or an external helper. The basic mechanism for verifying a user's
password is to encrypt the password that was provided and compare that
with the encrypted one stored by the system. If you're using shadow
passwords, you need root privileges to obtain the user's encrypted
password from the system.

I would be suspicious of any web server (even a internal one) that
requires my login password. Regardless I don't recommend that you pass
plaintext passwords around: do the initial encryption on the client.

Depending on what you intend to do there may be better or simpler
alternatives (bases on ssl or signed certificates, however I'm no
expert on these things).

/gordon

Signature

[  do not email me copies of your followups  ]
g o r d o n + n e w s @  b a l d e r 1 3 . s e

Reply to this Message
Oliver Wong - 07 Dec 2005 19:22 GMT
>> I'm looking for the simplest way to verify a linux user password from
>> within a servlet.
[quoted text clipped - 23 lines]
> alternatives (bases on ssl or signed certificates, however I'm no
> expert on these things).

   It's not too uncommon in a corporate environment to have some sort of
"single sign on" service. That is, you have one computer that's completely
dedicated to managing user accounts and usernames and passwords are
centrally stored. This is so that, when you change your e-mail password for
example, your CVS, SSH, FTP, SharePoint, LotusNotes, WikiMedia, etc.
passwords all change simultaneously too. On Windows, such a service is
typically implemented with LDAP. Not sure what the equivalent Linux
technology is.

   - Oliver
Reply to this Message
Dave Glasser - 08 Dec 2005 05:13 GMT
timothy.williams@comverse.com wrote on 7 Dec 2005 09:43:09 -0800 in
comp.lang.java.help:

>I'm looking for the simplest way to verify a linux user password from
>within a servlet.
[quoted text clipped - 3 lines]
>validate the password I receive against the password for that Linux
>user.

Read up on JAAS:

http://java.sun.com/products/jaas/

And then check out the com.sun.security.auth.module.UnixLoginModule
class:

http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/au
th/module/UnixLoginModule.html

I don't know if it will work with Linux or not, but it's probably
worth investigating.

Signature

Check out QueryForm, a free, open source, Java/Swing-based
front end for relational databases.

http://qform.sourceforge.net

If you're a musician, check out RPitch Relative Pitch
Ear Training Software.

http://rpitch.sourceforge.net

Reply to this Message
Dave Glasser - 08 Dec 2005 05:29 GMT
Dave Glasser <dglasser@pobox.com> wrote on Thu, 08 Dec 2005 00:13:12
-0500 in comp.lang.java.help:

>timothy.williams@comverse.com wrote on 7 Dec 2005 09:43:09 -0800 in
>comp.lang.java.help:
[quoted text clipped - 18 lines]
>I don't know if it will work with Linux or not, but it's probably
>worth investigating.

Actually, it might not be. I googled it and it seems that
UnixLoginModule only returns information about the process user.

Signature

Check out QueryForm, a free, open source, Java/Swing-based
front end for relational databases.

http://qform.sourceforge.net

If you're a musician, check out RPitch Relative Pitch
Ear Training Software.

http://rpitch.sourceforge.net

Reply to this Message
timothy.williams@comverse.com - 08 Dec 2005 18:46 GMT
Thanks for the responses.

I checked out JAAS.  My issue would still be the need for writing the
LoginModule for Linux
access to the accounts.

I was hoping to find a LoginModule in OpenSource for Linux....no luck
yet.

Is there a method in Java to get at the password shadow file?

thanks
Reply to this Message
Oliver Wong - 08 Dec 2005 19:01 GMT
> Is there a method in Java to get at the password shadow file?

   Probably not, given that this is a very OS specific concept.

   - Oliver
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.