There are few transparent methods for this, unfortunately.
In a centrally managed network, you could possibly use Kerberos, with mod_auth_gssapi or mod_auth_kerb on the web server side (aka "HTTP Negotiate"). Kerberos is very secure, but can be a pain to configure for web usage (not all browsers support it, and only some allow it by default).
If all the computers are trusted (i.e. users are guaranteed to not tamper with root-installed software), the Ident protocol (RFC 1413) is a possibility, but the authentication it provides is very weak.
But most often, your only option is to ask for a password.
If the users have accounts in /etc/passwd
, as mentioned in your comment, running a privileged program is unfortunately the only way to verify a received password against /etc/shadow
.
If you do this, don't write your own scripts through sudo
, because you will get input validation wrong the first time, and because it's a solved problem already. Pick something well-known, for example Cyrus saslauthd
(which can run in -a pam
mode); that way your website will not need any privileges beyond connecting to the saslauthd
socket.
ask user for username/password, calculate the hash of password and compare it to /etc/shadow. Problem is shadow file is visible only for root – jet – 2014-10-08T23:33:26.630
1would it be very bad practice to have the webapp get root to run a script to compare the attempted password hash to the /etc/shadow hash? – clifgray – 2014-10-08T23:58:45.327
@clifgray Very bad practice. – JakeGould – 2014-10-09T00:48:02.127
are there alternatives or tools to use that allow me to still compare an attempted password with the unix one external to the unix login itself? – clifgray – 2014-10-09T01:00:20.440