javascript – Authentication of system users on the http-server request-response

Question:

The idea is as follows. Allow users to use their system logins and passwords to access some web service running on the same machine. At the same time, for greater security, only hashes from entered passwords connected with random data from the server are transmitted over the network. A separate daemon connected to the web service via a unix socket will check passwords.

Ubuntu OS.

Are there any ready-made solutions? Is it possible to program this using the PAM library? Will this create restrictions on PAM configuration?

As far as I understand, all existing plugins and authentication patches for http servers via PAM receive passwords from the user only in clear text, apparently this follows from the capabilities of PAM.

Description of one of the similar solutions: https://davidben.net/thesis.pdf

Answer:

PAM receives passwords in cleartext. Although it is theoretically possible to write a PAM module that forces the user to solve an example with data and a function known only to the user and enter a response instead of a password. Passwords are usually stored in the form of hashes (it depends on the modules used) with a salt (an additional string that makes the hashes of the same passwords unique), which is calculated at the time a new password is set, depending on the time and other random data. A hash is the result of irreversibly encrypting a password, for example when the password itself is the key. In PAM itself, there is no way for the application to work with these hashes, they remain inside the modules.

Thus, you either need to intercept passwords through your own PAM module at the time of their installation, or use getspnam() to get the hash from /etc/shadow .

In the first case, the password hashes calculated in the module (so that it is impossible to find out the password itself) can be written to a file accessible only to the checking daemon for the web server. The web client will have to hash the password twice. The disadvantages of this method are that after installing the package, in order for the user to access the web service, he must first change the password. And if a remote password storage is used, and the user changes his password from another computer, the old password will be valid in the web service.

The second case requires you to transfer the hashing method and salt from /etc/shadow to the web client so that it can hash the password in the same way and then hash it again with random data from the server. If PAM is configured with modules other than pam_unix , a user whose password is stored elsewhere must have a password in /etc/shadow in order to use the web service. The hashing method must be configured so that the web client can reproduce it.

The test daemon itself does not need to use PAM.

This non-SSL authentication method is vulnerable to password hijacking if an attacker has the ability not only to monitor traffic, but also to interfere with it. By adding its own code to the script, it can force the browser to send the password in cleartext before hashing.

Scroll to Top