Forum OpenACS Q&A: Response to optionally using unix passwords for OpenACS auth

A very simple patch to packages/acs-subsite/www/register/indext.tcl could prevent your staff from getting the persistent login cookie. Just replace
set persistent_login_p [ad_parameter AllowPersistentLoginP security 1]
with
if [db_string is_staff_member {
    select count(1) 
      from group_member_map m, groups g
     where m.group_id = g.group_id
       and g.group_name = 'Staff'
}] {
    set persistent_login_p 0
} else {
    set persistent_login_p 1
}
The effect will be that staff members will have to log in again each time they visit the site from a new browser window. Combine that with the SessionTimeout parameter (which you set on the acs-kernel package), and you've made it pretty hard for someone to sneak into your office and get admin access to your website.

You've still got to solve the problem of synchronizing the passwords in the ACS users table with the unix passwords chosen by your employees. Is it possible to run a setuid perl or shell script that can decrypt the passwords in /etc/shadow? If so, then you could execute that script from an AOLServer scheduled procedure, notice any passwords that have changed since the last time you ran, and call ad_change_password. I don't know how to write that hypothetical script though (maybe it's intentionally not possible), or how to let AOLServer run it without also making it available to any other hacker on the system.