Linux login via node.js

Question

I'm currently building an (experimental) webapp to login and control a (linux) server (especially for monitoring) in node.js. For authentification i would like to use the linux users.

Either via /etc/passwd and /etc/shadow , reading information works quite good, but i can not authenticate ( crypto , bcrypt won't work), via child_process.exec i can execute openssl passwd , this only generates md5 ( 1 ), but the passwords stored in /etc/shadow are encrypted with SHA512 ( 6 ). Is there any way I'm missing out?

The other way i tried, is using the login command (via child_process.spawn ). but this always exits with code 1 . All other commands (eg apt-get upgrade ) work as expected.

PS: my server is running on root so there should be no problem with permissions.

Thanks for your help

EDIT : As i already pointed out, this is an EXPERIMENTAL project, so I'm not planning to use it in production, i was just curious about it. It's a bit similar to PCMonitor

I know running it as root is not a good idea, and thats not what i would use in production apps.

To clarify : My question was more about, why every command (i have tried so far) works good with child_process.spawn except login . And how i could generate a SHA512 password with a salt (exactly like the ones in /etc/shadow

Answer 1

Well this question is rather old, but I stumbled upon a similar problem verifying the entered password against the systems user db. Maybe this can help others having the same task.

I finally did it via the expect tool.
So I came up with this expect script:

#!/usr/bin/expect

set username [lindex $argv 0];
set password [lindex $argv 1];
set timeout 5

puts "$username $password"

if {[file exists /usr/bin/su]} {
    spawn /usr/bin/su $username
}
if {[file exists /bin/su]} {
    spawn /bin/su $username
}

expect -exact "Password:"
send "$password\n" 

expect { 
    -ex "su: " {
        puts "login failed"
        exit 1
    }
    -ex "@" {
        puts "login successful"
        send "exit\n"
        exit 0
    }
    timeout {
        puts "login failed (timeout)"
        exit 1
    }

    default { 
        puts "login failed (unknown reason)"
        exit 1
    }
}

If you save this script for example as pw_check.sh you then can call it like this in nodejs

var child = execFile(
        '/path/to/pw_check.sh',
        [username,password],
        {stdio: ['pipe', 'pipe', 'pipe']});

        child.on('exit', function(code, signal) {
            if (code === 0) {
                //pw check was successful
            } else {
                console.log("Authentication error.")
                //pw check failed
            }
        });

I must admit that this is not a very secure way to do this, but I found no better one yet. And creating a separate user db was no option for me.

Answer 2

You can use node.js to connect via SSH to the localhost server, check out this module https://github.com/mscdex/ssh2 . You can forward the commands sent via the web api to the ssh connection.

This way it would be a lot safer than exec-ing commands, and you would be able to use any users allowed to ssh.