Re: poppassd
I'm using poppassd v1.8-ceti from
http://www.ceti.com.pl/~kravietz/prog.html
It doesnt suffer from any of the problems you described below.
1) I cant use an old password, only the current password will work to
change the password
2) It is PAM aware
3) It supports MD5
I also make sure that my users change their password via an https form to
step up the security between the client and server.
If you look at the poppassd-1.8-ceti source, its nice and clean and has
some handy configuration options such as
#define POP_MIN_UID /* minimum UID which is allowed to change
This is handy to make sure that uid 0 doesnt get its password changed by
some clown who thinks this could be fun.
Maybe debian ought to investigate using the -ceti branch of poppassd.
On Wed, 9 Jan 2002, martin f krafft wrote:
> alright, my users don't know how to do shell, and they can't change
> passwords. now, i just upgraded to squirrelmail (upgraded because i had
> IMP before, barf!), which has a plugin to change the password. it's TLS
> encrypted, so not too much of a problem, but in testing out poppassd,
> the underlying password changing daemon (usually used for Eudora), i
> have just fainted:
>
> (assume johndoe's password is mypw, and he changes to mypw2)
>
> 200 seamus poppassd v1.2 hello, who are you?
> user johndoe
> 200 your password please.
> pass mypw
> 200 your new password please.
> newpass mypw2
> 200 Password changed, thank you.
> quit
> 200 Bye.
>
> all good up to here:
>
> madduck@seamus:~> su johndoe
> Password: < enter "mypw"
> su: Authentication failure
> Sorry.
> madduck@seamus:~> su johndoe
> Password: < enter "myNewpw"
> johndoe@seamus:/home/madduck>
>
> now sit and chill, we'll just do it again:
>
> 200 seamus poppassd v1.2 hello, who are you?
> user johndoe
> 200 your password please.
> pass mypw <<<======== the old one !!!
> 200 your new password please.
> newpass mypw3
> 200 Password changed, thank you.
> quit
> 200 Bye.
>
> poppassd asks for the password, but it seemingly doesn't care!!! sure,
> it runs as root, so it doesn't need it, but it should validate it!!!
>
> (and yes, indeed, it *did* change the password.)
>
> madduck@seamus:~> su johndoe
> Password: < enter "mypw"
> su: Authentication failure
> Sorry.
> madduck@seamus:~> su johndoe
> Password: < enter "myNewpw"
> su: Authentication failure
> Sorry.
> madduck@seamus:~> su johndoe
> Password: < enter "myOtherpw"
> johndoe@seamus:/home/madduck>
>
> it gets better:
>
> 200 seamus poppassd v1.2 hello, who are you?
> user johndoe
> 200 your password please.
> pass kjsdgkl <<<======== a totally random string
> 200 your new password please.
> newpass abcabcab
> 500 Invalid user or password
>
> aha. smartie! *but*:
> (recall that the password is still "myOtherpw")
>
> 200 seamus poppassd v1.2 hello, who are you?
> user johndoe
> 200 your password please.
> pass mypw2 <<<========= *a* previous one
> 200 your new password please.
> newpass another
> 200 Password changed, thank you.
> quit
> 200 Bye.
>
> and it changed it again...
>
> ... which means that even though i bound to localhost only, any local
> user can change any other one's password, even root's!
>
> but it also means that i am confused. the man page and docs say
> specifically that the proggie uses the passwd binary, and does not edit
> /etc/shadow by itself. but while johndoe's password was md5 hashed in
> /etc/shadow before all this happened, look at it now:
>
> johndoe:ZmwcDtXWGdpLM:11354:0:99999:7:::
>
> that's not md5! it's crypt()!
>
> moreover, PAM never logged a passwd change, but poppassd logged to
> /var/log/syslog itself.
>
> now all this aside, maybe someone can explain to me the algorithm of
> poppassd: apparently, it only lets you change your password if the old
> password you provide with "pass" is the original or any of the passwords
> that you had once used through poppassd. if you try other strings for
> password, poppassd will deny the update. is this an inherent "feature"
> of the crypt() hashes, or is something thoroughly screwed up? actually,
> further testing established that when you change a password "mypw" to
> "mypw2", both will work, if you then change it to "mypw3", all three
> will work. however, if it starts out as "mypw2" md5-hashed, then the
> other two won't work. i still don't understand it, and yes, the
> passwords are all <8 characters!
>
> if it uses /bin/passwd actually as root, it can't really check the old
> password anyway, so that would explain why you can change anyone's
> password. but then why did the third attempt, using the totally random
> string as old password, fail???
>
> well, let's look at the source... which is horrible, i find. oh well. it
> talks about /bin/passwd all over, how it will is that binary as an
> abstraction mechanism and all that, but it *never* executes passwd!!!
> instead, it uses newusers, with its own encoded password, which is a
> crypt(). great abstraction layer, given that the rest of passwd is md5!
>
> okay, poppassd shouldn't be used anyway... well... still, this is a big
> issue, i find... in fact, i'd almost propose kicking this package out of
> debian!
>
> any comments? is this a known issue? couldn't find anything on the
> web... nor could i find a bug against poppassd, nor are there mentions
> in the docs.
>
> --
> martin; (greetings from the heart of the sun.)
> \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
>
> the nice thing about windoze is - it does not just crash,
> it displays a dialog box and lets you press 'ok' first.
>
Todays root password is brought to you by /dev/random
.-------------------------------------.
| Steve Mickeler * Network Operations |
+-------------------------------------+
| Neptune Internet Services |
`-------------------------------------'
1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F
Reply to:
- References:
- poppassd
- From: martin f krafft <madduck@madduck.net>