ws.webpasswd 2.0.0

Change a UNIX password via web UI

This packages provides a web UI for the UNIX passwd command, e.g. so that SFTP-only user accounts can still change their password.

WARNING: The passwords are passed in plaintext via popen from the CGI process to the helper process that runs under sudo. So maybe don’t use this in an adversarial environment where people might spy on your process list or something.

Usage

Set up your webserver to run the CGI script. Here’s an example apache configuration snippet:

ScriptAlias /passwd /path/to/venv/bin/webpasswd-cgi

As changing the password for another user requires root access, you also need to setup passwordless sudo execution for the webpasswd-change helper. Add a rule like this, e.g. in /etc/sudoers.d/webpasswd:

www-data ALL=NOPASSWD:/path/to/venv/bin/webpasswd-change

(www-data means the user the webserver executing the CGI script runs as.)

You can pass the following environment variables to the CGI script:

WEBPASSWD_CHANGE:

Path to webpasswd-change helper. If unset, assumes a virtualenv installation (so it’s located next to webpasswd-cgi)

WEBPASSWD_STYLESHEET:

URL to a stylesheet to link to instead of using the built-in styles

Running tests

You’ll need to add a user account webpasswd, and interactively during the test run reset its password as instructed.

CHANGES

2.0.0 (2018-03-04)

• Rewrite using python-pam, Flask, Python-3 compatible, pip-installable.

1.0.0 (2008-07-10)

• First working version, using PyPAM.so and webpy.org