###################################################################### ## # ## P A S S W O R D L O O K U P # ## # ## by JPDeni # ## Created 25 Jun 2000 # ###################################################################### # # This is a semi-secure password lookup mod. All encryption is retained # but the email address is not verified before login. Users may choose # their own passwords. # # This version of the mod does not require the user to enter his # email address into the .pass file. You must have a userid field and # a field for the email address within your database file. Note that # there is no check to be sure that the email address is unique. # # This works best if there is only one record per user. The user can # enter either his userid or his email address. # # If you have $db_debug=1 set in your .cfg file, the email message # will not be sent, but will instead be displayed on the "lookup # success" form. This way you can test whether the script is working # correctly or not. Be sure to set $db_debug=0 before your database # goes "live." ###################################################################### ###################################################################### # # # file: default.cfg # ------------------------------------------------------------- # -- after -- # Full path and file name of the html routines. require $db_script_path . "/html.pl"; # -- add -- # Your email address. $admin_email = 'you@yourserver.com'; # The name of the database or organization that's running it $db_name = "Database Manager"; # Email program on your system $mailprog = "|/usr/lib/sendmail -t"; # The number of your email address field $email_field_number = 5; # -- after -- # Permissions a new signup should get. @auth_signup_permissions = (1,1,1,1,0); # -- add -- # Allow people to look up lost passwords $auth_lookup =1; # ###################################################################### # # file: db.cgi # ------------------------------------------------------------- # -- after -- elsif ($auth_signup and $in{'signup_form'}) { &html_signup_form; } elsif ($auth_signup and $in{'signup'}) { &signup; } # -- add -- elsif ($auth_lookup and $in{'lookup_form'}) { &html_lookup_form; } elsif ($auth_lookup and $in{'lookup'}) { &lookup; } ##################################################################### # # file: db.cgi -- new subroutine sub lookup { # -------------------------------------------------------- my $found = 0; my $passfound = 0; my ($line,@lines,$passline,@passlines,$message,@passdata,$outline); my ($line,@lines,$passline,@passlines,$message,@passdata,$outline); open (DB, "<$db_file_name") or &cgierr("error in lookup. unable to open db file: $db_file_name.\nReason: $!"); if ($db_use_flock) { flock(DB, 1); } @lines = ; close DB; foreach $line (@lines) { chomp $line; @data = &split_decode($line); if ((lc($in{'lookup'}) eq lc($data[$email_field_number])) or ($in{'lookup'}eq $data[$auth_user_field])) { $found=1; last; } } unless ($found) { &html_lookup_form("No record found for $in{'lookup'}"); return; } open (PASS, "<$auth_pw_file") or &cgierr ("unable to open:$auth_pw_file.\nReason: $!"); if ($db_use_flock) { flock(PASS, 1) } @passlines = ; close PASS; foreach $passline (@passlines) { if ($passline =~ /^$data[$auth_user_field]:/) { $passfound = $passline; } else { $output .= $passline; } } unless ($passfound) { &html_lookup_form("$data[$auth_user_field] not found in password file"); return; } my $password = &generate_password; srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/'); my $salt = join '', @salt_chars[rand 64, rand 64]; my $encrypted = crypt($password, $salt); chomp $passfound; @passdata = split (/:/, $passfound); @passdata[1] = $encrypted; $outline = join ':',@passdata; $output .= $outline . "\n"; open (PASS, ">$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!"); if ($db_use_flock) { flock(PASS, 2) or &cgierr("unable to get exclusive lock on $auth_pw_file.\nReason: $!"); } print PASS $output; close PASS; $mailtext = "To: $data[$email_field_number]\n"; $mailtext .= "From: $admin_email\n"; $mailtext .= "Subject: $db_name Account Information\n\n"; $mailtext .= "-" x 60 . "\n\n"; $mailtext .= "You requested your $db_name account information:\n\n"; $mailtext .= "Your $db_name User ID is: $data[$auth_user_field])\n"; $mailtext .= "Your $db_name password is: $password\n\n"; $mailtext .= "please contact $db_name support at: $admin_email\n"; $mailtext .= "if you have any questions.\n\n"; if ($db_debug) { $message = $mailtext; } else { open (MAIL, "$mailprog") || &cgierr ("Can't start mail program"); print MAIL $mailtext; close (MAIL); } &html_lookup_success($message); } ############################################################################### # file: db.cgi --new subroutine sub generate_password { # -------------------------------------------------------- #### Following subroutine added for secure_password_lookup mod my (@c, @v, $password); srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number @c = split(/ */, "bcdfghjklmnprstvwxyz"); @v = split(/ */, "aeiou"); for ($i=1; $i<=4; ++$i) { $password .= $c[int(rand(20))] . $v[int(rand(5))]; } return $password; } ################################################################################ ############# # # file: html.pl sub html_login_form # -- before -- # -- add -- |; if ($auth_signup) { print qq|

<$font>If you don't have an account you can sign up for one online.|; } if ($auth_lookup) { print qq|

<$font>If you have forgotten your user name or password you can have it emailed to you.|; } print qq| ################################################################################ ############# # # file:html.pl sub html_login_failure # -- before --

# -- add -- |; if ($auth_signup) { print qq|

<$font>If you don't have an account you can sign up for one online.|; } if ($auth_lookup) { print qq|

<$font>If you have forgotten your user name or password you can have it emailed to you.|; } print qq| ###################################################################### # # file: html.pl -- new subroutine # sub html_lookup_form { # -------------------------------------------------------- # This form is displayed for users who want their user name and password # emailed to them. # my $error = shift; &html_print_headers; print qq| $html_title: Password Lookup

Password Lookup

<$font_title>Password Lookup

<$font>To have a new password emailed to you, enter either your user name or your email address below. |; if ($error) { print qq|

<$font>$error

|; } print qq|
Email address or user name:

|; } ################################################################################ ############# # # file: html.pl -- new subroutine sub html_lookup_success { # -------------------------------------------------------- # The users name and password have successfully been sent my $message = shift; &html_print_headers; print qq| $html_title: Password Sent
$html_title: Password Sent

<$font_title>Password Sent

<$font>Your information has been sent. Please use your user name and password to log in to the database when you receive it.

User ID:
Password:

$message
|; }