阿帕奇HTPASSWD安全密码更改 [英] Apache htpasswd secure password change
问题描述
我的问题很简单。
如何让用户改变存储在一些Linux htpasswd文档密码不泄露文件的内容或允许用户修改其他密码?
How to allow users to change their passwords stored in some htpasswd file in linux without revealing the files content or allow users to modify other passwords?
我试着写一个脚本使用ssh和specialy设计的用户这样做的工作,但它会导致noway。
I tried to write a script to do that job using ssh and specialy-designed user but it leads noway.
请帮忙。
我使用Debian的服务器莱尼。
Please help. I am using Debian server "Lenny".
推荐答案
的Apache 的htpasswd 文件不支持任何阴影的功能。因此,你必须prevent的用户访问您的Web服务器,以防止他们的密码文件了。因此,唯一的解决办法是你的SSH为基础的方法或任何其他远程解决方案。下面的描述将解释如何写一个SSH命令脚本,只有当用户知道自己的旧密码更改密码。主要的问题是,Apache不提供一个命令行工具来验证在的htpasswd 文件的密码。但是这可通过手工进行。
The Apache htpasswd file does not support any shadow functionality. Therefor you have to prevent the users accessing your web server in order to keep them away from the password file. So the only solution is your SSH based approach or any other remote solution. The following description will explain how to write a SSH command script to change the password only if the user knows his old password. The major problem is, that Apache does not provide a command line tool to verify a password in a htpasswd file. But this can be done by hand.
以下描述假定Web服务器用户是 www数据和用户的主目录为 /无功/网络。
The following description assumes that the web server user is www-data and that the home directory of the user is /var/www.
首先,你必须创建一个htpasswd的文件,即写入由Web服务器用户:
First you have to create a htpasswd file, that is writable by the web server user:
# ls -la .htpasswd
-rw-r--r-- 1 www-data root 18 10. Mai 16:30 .htpasswd
然后,你必须把所有的用户的项添加到Web服务器用户的的authorized_keys 文件。你必须preFIX与命令每行选项。
Then you have to add the keys of all your users to the authorized_keys file of the web server user. You have to prefix each line with the command option.
# cat .ssh/authorized_keys
command="/var/www/.htpasswd.sh" ssh-rsa AAAA... user@host
每当用户用他的钥匙只有 .htpasswd.sh 被执行连接。用户不必Web服务器的shell访问。
Whenever a user connects with his key only the .htpasswd.sh gets executed. The users do not have any shell access to the web server.
这是更改密码的脚本:
#! /bin/bash
HTPASSWD=/var/www/.htpasswd
die () { echo "$*" >&2 ; exit 1 ; }
read -p 'Enter user name: ' USER
read -s -p 'Old password: ' OLDPW ; echo
read -s -p 'New password: ' NEWPW0 ; echo
read -s -p 'Re-type new password: ' NEWPW1 ; echo
if LINE=$(grep ^"$USER": "$HTPASSWD")
then
echo "$LINE" | sed 's/.*:\(..\)\(.\+\)/\1 \2/' | {
read SALT CRYPT
if [[ "$SALT$CRYPT" = $(echo "$OLDPW" | mkpasswd -sS "$SALT") ]] ; then
if [ "$NEWPW0" != "$NEWPW1" ] ; then
die "Password verification error!"
fi
PWS=$(grep -v ^"$USER:" "$HTPASSWD")
{
echo "$PWS"
echo -n "$USER:"
echo "$NEWPW0" | mkpasswd -s
} > "$HTPASSWD"
echo "Updating password for user $USER."
else
die "Password verification error!"
fi
}
else
die "Password verification error!"
fi
棘手的部分是密码验证。它是通过读取旧盐和加密的旧密码与老盐完成。该结果与在的htpasswd 文件旧的加密密码进行比较。
The tricky part is the password verification. It is done by reading the old salt and encrypting the old password with the old salt. The result is compared with the old encrypted password in the htpasswd file.
现在,用户可以连接到Web服务器,以改变密码:
Now the user can connect to the web server in order to change the password:
$ ssh www-data@localhost
Enter user name: szi
Old password:
New password:
Re-type new password:
Updating password for user szi.
Connection to localhost closed.
大家只能更改自己的密码,没有人可以访问其他用户的加密密码。该解决方案提供有关在shell脚本中使用原始的的htpasswd 程序一个额外的好处,因为密码永远不会作为命令行参数。这是不可能与的htpasswd ,因为它无法从标准输入,如密码 mkpasswd 。
Everybody can change only his own password and nobody has access to the encrypted passwords of the other users. This solution has an additional benefit about using the original htpasswd program in a shell script, because the passwords are never used as a command line argument. This would not be possible with htpasswd, because it can not read the password from stdin like mkpasswd.
这篇关于阿帕奇HTPASSWD安全密码更改的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
