Gossamer Forum: Products: DBMan: Installation: Can I Import PreDefined passwords?

Novice (35 posts)

Jun 1, 2000, 8:59 AM

Post #1 of 30

Shortcut

Can I Import PreDefined passwords?

I'm moving right along with the installation and having fun doing it. I have created my own database format and form - IT WORKS GREAT! Now I am wondering if there is a way to import the password information from an ACCESS database so I don't have to enter 4,000+ customer passwords by hand. Can you explain the logic in how a password is defined.

I must give JPDeni's tutorial an A+++, very well done. The perfect tool for a non-programmer like me. Thanks

VaLinda

Jun 1, 2000, 2:04 PM

Veteran / Moderator (8669 posts)

Jun 1, 2000, 2:04 PM

Post #2 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

Thank you for your kind words about my tutorial. I'm really pleased that it helped you.

Regarding the passwords -- a lot will depend on the structure of the file that you export from Access. This is what I would do:

Export the database with two fields -- username and password -- using a : as a delimiter, like

username1:password1
username2:password2

Save the following as a separate script. Call it convert.cgi.

Code:

#!/usr/bin/perl
# Change the line above to match the path to Perl on your system

$old_pass_file = "/path/to/your/file.txt"; # This is the file you exported from Access

$new_pass_file = "/path/to/default.pass"; # This is the new password file for DBMan to use

@auth_permissions = (1,1,1,1,0); # The permissions you want all users to have

open (OLD, "<$old_pass_file") or &cgierr("unable to open password file. Reason: $!\n");
@lines = <OLD>;
close OLD;

my $permissions = join (":", @auth_permissions);

foreach $line (@lines) {
@data = split (/:/, $line);
$pw = $data[1];
srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number
my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/');
my $salt = join '', @salt_chars[rand 64, rand 64];
my $encrypted = crypt($pw, $salt);
$output .= "$data[0]:$encrypted:$permissions\n";
}

open (NEW, ">$new_pass_file") or &cgierr("unable to open password file. Reason: $!\n");
print NEW $output;
close NEW;

&html_print_headers;
print qq|<html><head><title>Passwords converted</title></head>
<body>Your password file has been converted for use with DBMan.</body></html>|;

sub html_print_headers {
# --------------------------------------------------------
# Print out the headers if they haven't already been printed.

if (!$html_headers_printed) {
print "Content-type: text/html\n\n";
$html_headers_printed = 1;
}
}

sub cgierr {
# --------------------------------------------------------
# Displays any errors and prints out FORM and ENVIRONMENT
# information. Useful for debugging.

if (!$html_headers_printed) {
print "Content-type: text/html\n\n";
$html_headers_printed = 1;
}
print "<PRE>\n\nCGI ERROR\n==========================================\n";
$_[0] and print "Error Message : $_[0]\n";
print "\n</PRE>";
exit -1;
}

Upload the file to your DBMan directory -- in ASCII mode! -- and set the permissions to 755. Also save your .txt file from Access to the same directory.

Run the script from your browser, using the URL --
http://server.com/cgi-bin/dbman/convert.cgi

If all has gone well, you should have a new default.pass file in your directory. Test it out with several of the username/password combinations you know to make sure it works.

Copy the line from the original default.pass file for the admin login and paste it into the new .pass file. Log in as "admin/admin" and give admin permission to yourself and whoever else you want to have it. Then you can delete the "admin" username.

Understand that I have not tested this, except to check for syntax errors. Be sure you have your old default.pass file somewhere so you can still access the database in case it doesn't work. Smile

If it does work, you can then delete the convert.cgi file and the Access password file from your server.

JPD

Jun 1, 2000, 4:21 PM

Novice (35 posts)

Jun 1, 2000, 4:21 PM

Post #3 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

I went step by step through your instructions and got this message.

404 - Document Not Found

The requested object or URL, /cgi-bin/kvdr/convert.cgi was not found on this server.
The link you followed is either outdated, inaccurate, or the server has been instructed not to let you have it. Please inform the administrator of the referring page, (none).

--------------------------------------------------------------------------------

In the convert.cgi file I put:
$old_pass_file = "http://www.sonic.net/cgi-bin/kvdr/AccessPassword.txt"; # This is the file you exported from Access
$new_pass_file = "http://www.sonic.net/cgi-bin/kvdr/default.pass"; # This is the new password file for DBMan to use

I checked my permissions carefully, they are 755.
Do I have something wrong here?

Jun 1, 2000, 5:05 PM

Enthusiast (720 posts)

Jun 1, 2000, 5:05 PM

Post #4 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

If AccessPassword.txt and default.pass are in the same directory, you can simply specify their location as:

/AccessPassword.txt
/default.pass

One thing I have noticed while using this script is that the default.pass must exist before hand (ie, the script does not create it itself - at least the copy I have doesnt)

However, a 404 message indicates that you proboly uploaded the file to the wrong directory, or you're typing the address wrong in your browser window... but I'm betting its the first option.

I noticed I also got a 404 msg if I tried accessing 'db.cgi' in the same directory... are you sure that's where everything is?

- Mark

Astro-Boy!!
http://www.zip.com.au/~astroboy/

Jun 1, 2000, 5:15 PM

Enthusiast (720 posts)

Jun 1, 2000, 5:15 PM

Post #5 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

Wait, sorry, disregard that (the top half anyway).

Looking again at the code, it's not the same convert.cgi I have at all.

But the 404 thing still stands Smile

- Mark

Astro-Boy!!
http://www.zip.com.au/~astroboy/

Jun 2, 2000, 8:20 AM

Novice (35 posts)

Jun 2, 2000, 8:20 AM

Post #6 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

I took your suggestion and simplified the file path and renamed the convert.cgi file to cdb.cgi. I also added an edited copy of the default.cfg file to the directory. I no longer get the message that it can't find the file but now I get the following error:

CGI ERROR
==========================================
Error Message : unable to open password file. Reason: No such file or directory

I tried it with the default.pass file in the directory and I tried it without the default.pass file. Still the same error. The file has my password information for admin only.

Any suggestions?

VaLinda

Jun 2, 2000, 2:01 PM

Veteran / Moderator (8669 posts)

Jun 2, 2000, 2:01 PM

Post #7 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

I should have made my error messages more explicit, since it's not clear which file it is unable to open. My guess is that it's not finding the .txt file you exported from Access.

Make sure that your .txt file is in the same directory as your other DBMan files.

Change

$old_pass_file = "/path/to/your/file.txt"; # This is the file you exported from Access
$new_pass_file = "/path/to/default.pass"; # This is the new password file for DBMan to use

to

$db_script_path = ".";
# Change the line below to reflect the name of your exported file
$old_pass_file = $db_script_path . "/file.txt";
$new_pass_file =$db_script_path . "/default.pass"; # This is the new password file for DBMan to use

JPD

Jun 2, 2000, 11:03 PM

LoisC

Veteran / Moderator (3034 posts)

Jun 2, 2000, 11:03 PM

Post #8 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

JP:

There is another slightly different version of this you posted in forum 5.

Topic of thread: Large number of passwords
Dated: April 16, 2000

http://www.gossamer-threads.com/perl/forum/showthreaded.pl?Cat=&Board=DBInst&Number=61254&Search=true&Forum=DBInst&Words=Large number of passwords&Match=Entire Phrase&Searchpage=0&Limit=25&Old=6months

A few of the lines look different, the other was fully tested and worked fine.

Hope this helps

Jun 2, 2000, 11:13 PM

Veteran / Moderator (8669 posts)

Jun 2, 2000, 11:13 PM

Post #9 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

Yes, it's basically the same. The differences are cosmetic. But use that one, if you can't get this one going.

It's also in a thread in the DBMan Discussion forum right now. And when it gets validated, it will be in the Resource Center. (Thanks, Mark!)

JPD

Jun 3, 2000, 8:21 AM

Novice (35 posts)

Jun 3, 2000, 8:21 AM

Post #10 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

JP,

I made the changes you suggested and the program seems to be working. When I went to test a password it would not recognize it. I checked for format of what was converted to the format of a DBMan password, they seem identical with the exception of yours enters a 0 for the admin permission where DBMan leaves it null. Maybe it is the original format of the export from Access. I started with two text Access fields and exported the table as a txt file. In the export I chose "delimited', using the : with a text qualifier of {none}. Then I transfered the file to my directory in the ASCII format and ran the program. I am close, I know it, what am I missing?
I couldn't understand the message from LoisC. Is that a location where I can find the other script?

Thanks,
VaLinda

*** I tried AstroBoy's suggestion in the discussion group of June 01-03. Same thing happened, the script created the password file but the passwords won't work.

Jun 3, 2000, 11:28 AM

Veteran / Moderator (8669 posts)

Jun 3, 2000, 11:28 AM

Post #11 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

So you tried to log in using the new .pass file and couldn't, right? That's very strange.

Could you post a sample from your database -- a password from the Access file and the corresponding one from the converted .pass file? (Don't post the username that's associated with it.)

Yes, Lois's post gives a pointer to the first time I wrote this script. It's the same as the one AstroBoy posted in the other thread.

JPD

Jun 3, 2000, 3:17 PM

Novice (35 posts)

Jun 3, 2000, 3:17 PM

Post #12 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

Password format after export from Access:
John|Rain
Jane|Hello
Jack|Smith

Password format after convert.cgi/saved to default.pass:
John:r76bvTTcTg972:1:0:0:1:0
Jane:JXtMWG3d3k/D.:1:0:0:1:0
Jack:Jx.PNhQHH9U9.:1:0:0:1:0

Don't worry about user names, these are only test files.
(How do you use the happy faces, I really appreciate everyones help.)

Jun 3, 2000, 4:21 PM

Stealth

Veteran (17240 posts)

Jun 3, 2000, 4:21 PM

Post #13 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

Read the FAQ page, which is linked at the TOP and BOTTOM of every Forum and Thread web page.

Wink

Regards,

Eliot Lee

Jun 4, 2000, 3:33 AM

Veteran / Moderator (8669 posts)

Jun 4, 2000, 3:33 AM

Post #14 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

I'm not having any luck with this either -- with either one of the scripts.

Let me work on it a bit.

Regarding the smilies, when you respond to a message, you'll see the words "markup in your posts" at the top of the page. Click on that, and you'll get the whole list. Smile

JPD

Jun 5, 2000, 1:51 PM

Novice (35 posts)

Jun 5, 2000, 1:51 PM

Post #15 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

JP

I appreciate the time you are putting into this. Smile

Thanks,
VaLinda

Jun 5, 2000, 5:04 PM

Enthusiast (720 posts)

Jun 5, 2000, 5:04 PM

Post #16 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

Ok, after much benchtesting convert.cgi, I discovered the following:

It works pefectly Tongue

I tried all sorts of weird things, importing short passwords, long passwords, all caps, no caps, combinations... every time it worked fine... Which leads me to two options:

1) My database is very strange Smile

2) Something is happening on your end...

I'd like to think it was the later (after all, no one wants a strange database Wink

), so here are some ideas:

You converted caps but are entering lower case?
Your password.txt may not be delimited properly?

I'm pulling at strings here, but from what I've seen, convert.cgi works fine.

- Mark

Astro-Boy!!
http://www.zip.com.au/~astroboy/

Jun 5, 2000, 11:40 PM

Veteran / Moderator (8669 posts)

Jun 5, 2000, 11:40 PM

Post #17 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

The problem is that the passwords are not encrypted when I use the script in the same way they are encrypted when I add them through the DBMan Admin display. I haven't tried running it on a Unix system, but it doesn't work right on my Win98 system.

VaLinda, what type of system are you using?

If we can't get this to work, you have two choices, neither one of which is very appealing. You can enter all of your passwords by hand in the Admin display (ouch!) or you can take out the encryption from DBMan (potential ouch) and just import the unencrypted passwords. I hate to suggest taking out encryption, but it may be the only way.

I probably shouldn't do this, but I'm wondering if maybe Mark could convert your passwords for you, since he seems to be able to get it done pretty easily. You might not want to send your passwords to someone else and Mark may be too busy to do it, but I thought I'd mention the idea anyway.

JPD

Jun 6, 2000, 7:52 AM

Novice (35 posts)

Jun 6, 2000, 7:52 AM

Post #18 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

First I'll respond to Astroboy since he is doing something right. In reference to his question of caps, I was very careful about entering exactly as in the original database. His comment about a correct export could be a possibility. In a previous post I described my export selections, could Astroboy take a look to see if something looks wrong there?
Concerning your question of the Windows version, my attempts were made from Access 2000 using Windows 95. In the last week I purchased a new computer with Windows 98, I will try it again today. Maybe there is something about Access 2000?
If this doesn't work I think I would like to take out the encryption. Can you tell me what part of the script this involves. Also, is there a way to add a second required password before accessing a record? It's my understanding that if I have my default.pass file in my cgi directory it is secure from prowling eyes, is that true?

Thanks,
VaLinda

Jun 6, 2000, 5:07 PM

Veteran / Moderator (8669 posts)

Jun 6, 2000, 5:07 PM

Post #19 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

My question about Windows is more about what platform the server is running on. I used server software on my home computer and it didn't create a workable file. When I finish here, I'll upload the script to my Unix server and see if it makes any difference. If it works, I might be able to set up a password conversion utility on my site that you could just use to generate the file.

Regarding taking out the encryption, here's what you need to do.

In auth.pl, sub check_password, change

Code:

if (($in{'userid'} eq $userid) && (crypt($in{'pw'}, $pw) eq $pw)) {

Code:

if (($in{'userid'} eq $userid) && ($in{'pw'} eq $pw)) {

In db.cgi, sub admin display, change

Code:

open (PASS, ">>$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) {
flock(PASS, 2) or &cgierr("unable to get exclusive lock on $auth_pw_file.\nReason: $!");
}
my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/');
my $salt = join '', @salt_chars[rand 64, rand 64];
my $encrypted = crypt($in{'password'}, $salt);
print PASS "$in{'new_username'}:$encrypted:$in{'per_view'}:$in{'per_add'}:$in{'per_del'}:$in{'per_mod'}:$in{'per_admin'}\n";
close PASS;
$message = "User: $in{'new_username'} created.";
last CASE;

Code:

open (PASS, ">>$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) {
flock(PASS, 2) or &cgierr("unable to get exclusive lock on $auth_pw_file.\nReason: $!");
}
print PASS "$in{'new_username'}:$in{'password'}:$in{'per_view'}:$in{'per_add'}:$in{'per_del'}:$in{'per_mod'}:$in{'per_admin'}\n";
close PASS;
$message = "User: $in{'new_username'} created.";
last CASE;

In the same subroutine, change

Code:

my $found = 0;
foreach $line (@lines) {
if ($line =~ /^$in{'username'}:/) {
my $password = (split (/:/, $line))[1];
unless ($password eq $in{'password'}) {
my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/');
my $salt = join '', @salt_chars[rand 64, rand 64];
$password = crypt($in{'password'}, $salt);
}
print PASS "$in{'username'}:$password:$in{'per_view'}:$in{'per_add'}:$in{'per_del'}:$in{'per_mod'}:$in{'per_admin'}\n";
$found = 1;
}
else {
print PASS $line;
}
}
$in{'inquire'} = $in{'username'};
$found ?
($message = "User: $in{'username'} updated.") :
($message = "Unable to find user: '$in{'username'}' in the password file.");
last CASE;

Code:

my $found = 0;
foreach $line (@lines) {
if ($line =~ /^$in{'username'}:/) {
print PASS "$in{'username'}:$in{'password'}:$in{'per_view'}:$in{'per_add'}:$in{'per_del'}:$in{'per_mod'}:$in{'per_admin'}\n";
$found = 1;
}
else {
print PASS $line;
}
}
$in{'inquire'} = $in{'username'};
$found ?
($message = "User: $in{'username'} updated.") :
($message = "Unable to find user: '$in{'username'}' in the password file.");
last CASE;

In sub signup, change

Code:

# Add the userid into the file with default permissions.
open (PASS, ">>$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) {
flock(PASS, 2) or &cgierr("unable to get exclusive lock on $auth_pw_file.\nReason: $!");
}
srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number
my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/');
my $salt = join '', @salt_chars[rand 64, rand 64];
my $encrypted = crypt($in{'pw'}, $salt);
my $permissions = join (":", @auth_signup_permissions);

print PASS "$in{'userid'}:$encrypted:$permissions\n";
close PASS;

Code:

In Reply To:

It's my understanding that if I have my default.pass file in my cgi directory it is secure from prowling eyes, is that true?

Usually, yes. Most servers are set up so that you can only access .cgi and .pl files directly from the web. You can try it with your current server to make sure that is the case. Enter your regular db.cgi URL as you would to access the database, but change db.cgi to default.pass. See if anything comes up.

The other problem I have seen is with a shared server. It is possible for someone else with an account on the same server host to access the files in your directory. He/she wouldn't be able to change anything, but could download the .pass file. That is what happened to a client of mine. A malicious person read the uncrypted .pass file, logged in as a user with admin permission and ruined a whole lot of records. That is why I changed my password lookup mod to one that included encryption.

I will go in now and see if the convert script works on my Unix server. Maybe we can get this licked yet. Smile

JPD

Jun 6, 2000, 5:19 PM

Veteran / Moderator (8669 posts)

Jun 6, 2000, 5:19 PM

Post #20 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

Update: It didn't work on my Unix server either.

I wonder if it would make any difference if I tried putting the convert.cgi script into a subroutine within DBMan. Looks like this is my next job to do. Smile

JPD

Jun 6, 2000, 6:05 PM

Veteran / Moderator (8669 posts)

Jun 6, 2000, 6:05 PM

Post #21 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

Nope. It didn't work on my Unix server either. How did Mark get it to work? Smile

This is going to take a lot more work.

JPD

Jun 6, 2000, 6:41 PM

Enthusiast (720 posts)

Jun 6, 2000, 6:41 PM

Post #22 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

In Reply To:

I haven't tried running it on a Unix system, but it doesn't work right on my Win98 system.

Now there's a thought... I am running on a Unix system, perhaps Win NT/98 hosts have some problem?

Though you'd think that if a Win system can't handle convert.cgi, why would it have no trouble converting passwords in db.cgi? Don't both run the same encryption process?

In Reply To:

Nope. It didn't work on my Unix server either. How did Mark get it to work?

Hmm... maybe my database is strange Smile

Has anyone else used convert.cgi successfully?

In desperation, I copied the convert.cgi posted in resources and used it in place of my original - it worked. This is just bizzare Crazy

One last note, i use password.txt and converted.txt. After conversion, I copy across the results... password.txt has permission 640 converted.txt has permission 666 It probobly makes no difference what-so-ever, but I wouldn't know if it did or not, so i thought it might be worth a mention Tongue

Well, I'm fresh out of ideas... I think we should ask around, because if no one can get the thing to work, it should probobly come out of resources.

- Mark

Astro-Boy!!
http://www.zip.com.au/~astroboy/

Jun 6, 2000, 9:39 PM

Veteran / Moderator (8669 posts)

Jun 6, 2000, 9:39 PM

Post #23 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

If it works for one person, it should work for everybody -- barring server differences. It really should work for me -- I wrote the darned thing!! Laugh

JPD

Jun 7, 2000, 3:53 AM

Veteran / Moderator (8669 posts)

Jun 7, 2000, 3:53 AM

Post #24 of 30

Shortcut

Re: Can I Import PreDefined passwords? In reply to

I found the problem and, boy, do I feel stupid! Blush

Code:

#!/usr/local/bin/perl
# Change the line above to match your path to perl
# ------------------------------------------------------
# CGI Script for converting delimited ascii text files
# into a password file for DB man.
#
# Data in password.txt should be of the format:
# username|password
# ------------------------------------------------------

$db_script_path = ".";

# change the line below to the name of your current password file
$password_file = $db_script_path . "/file.txt";

# Full path and file name of the password file.
$auth_pw_file = $db_script_path . "/default.pass";
# Permissions for every user (View, Add, Delete, Modify, Admin), 1 = enable, 0 = disable.
@auth_signup_permissions = (1,0,0,1,0);
open (PASS, "<$password_file") or
&cgierr("error in convert. unable to open old password file: $password_file.\nReason: $!");
@lines=<PASS>;
close PASS;

open (PASS, ">$auth_pw_file") or
&cgierr("error in convert. unable to open new password file: $auth_pw_file.\nReason: $!");
foreach $line (@lines) {
chomp $line;
# Defines the delimiter. In this case, a "|"
@data=split '\|',$line;
my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/');
my $salt = join '', @salt_chars[rand 64, rand 64];
my $encrypted = crypt($data[1], $salt);
my $permissions = join (":", @auth_signup_permissions);
print PASS "$data[0]:$encrypted:$permissions\n";
}
close PASS;

(chmod 0666, $auth_pw_file) or &cgierr("error in convert. unable chmod file: $auth_pw_file.\nReason: $!");;

print "Content-type: text/html\n\n
<html><head><title>File Converted</title><head>
<body>Your text file has been converted</body></html>";

sub cgierr {
# --------------------------------------------------------
# Displays any errors
if (!$html_headers_printed) {
print "Content-type: text/html\n\n";
$html_headers_printed = 1;
}
print "<PRE>\n\nCGI ERROR\n==========================================\n";
$_[0] and print "Error Message : $_[0]\n";
print "\n</PRE>";
exit -1;
}

This file uses a | for a delimiter, but you can use any character you want. Just change the blue line above.

JPD

Jun 7, 2000, 4:50 AM