Long story short, I'm developing an in-house report engine. It is entirely web based (utilising PHP and various AJAX techniques) and interprets data stored in a MySQL database by our production software. It runs on an Ubuntu 8.04 server, and all employees have a linux user account on that machine. I set up a login system using pam_auth that forces a user to log in with their linux user account and determines whether or not they belong to the appropriate group to access particular reports.
That part works great, my problem here is adding a "remember me" function using cookies. I would like for users to have a 30-day cookie just to save them some time and aggravation having to log in every time their session expires. I wrote the "remember me" portion of the code and it stores the cookie just fine. I'm storing only their user name and a md5 hash of their password. The problem here comes when it's time to re-authenticate them. Normally I'd simply do this by comparing the stored username with a password hash of that user from the database. What complicates things is that I don't have direct access to the usernames and password hashes. They are all stored in /etc/passwd and /etc/shadow and logins are handled by the PAM module. pam_auth expects a plain text username and plain text password.
It seems like my only alternatives are to either store the password as plain text, or with a reversible encryption, but I don't particularly like either of those ideas.
Are there any better solutions here?
