Re: poppassd
Potato has 1.2-14 as its latest for poppasswd... I agree that
v1.8-ceti would be a better solution, especially considering the
security issues you cited. What does it take to get this version into
the security updates? A bug filed?
Micah
On Wed, 09 Jan 2002, Steve Mickeler wrote:
>
> I'm using poppassd v1.8-ceti from
>
> http://www.ceti.com.pl/~kravietz/prog.html
>
> It doesnt suffer from any of the problems you described below.
>
> 1) I cant use an old password, only the current password will work to
> change the password
>
> 2) It is PAM aware
>
> 3) It supports MD5
>
> I also make sure that my users change their password via an https form to
> step up the security between the client and server.
>
> If you look at the poppassd-1.8-ceti source, its nice and clean and has
> some handy configuration options such as
>
> #define POP_MIN_UID /* minimum UID which is allowed to change
>
> This is handy to make sure that uid 0 doesnt get its password changed by
> some clown who thinks this could be fun.
>
> Maybe debian ought to investigate using the -ceti branch of poppassd.
>
>
> On Wed, 9 Jan 2002, martin f krafft wrote:
>
> > alright, my users don't know how to do shell, and they can't change
> > passwords. now, i just upgraded to squirrelmail (upgraded because i had
> > IMP before, barf!), which has a plugin to change the password. it's TLS
> > encrypted, so not too much of a problem, but in testing out poppassd,
> > the underlying password changing daemon (usually used for Eudora), i
> > have just fainted:
> >
> > (assume johndoe's password is mypw, and he changes to mypw2)
> >
> > 200 seamus poppassd v1.2 hello, who are you?
> > user johndoe
> > 200 your password please.
> > pass mypw
> > 200 your new password please.
> > newpass mypw2
> > 200 Password changed, thank you.
> > quit
> > 200 Bye.
> >
> > all good up to here:
> >
> > madduck@seamus:~> su johndoe
> > Password: < enter "mypw"
> > su: Authentication failure
> > Sorry.
> > madduck@seamus:~> su johndoe
> > Password: < enter "myNewpw"
> > johndoe@seamus:/home/madduck>
> >
> > now sit and chill, we'll just do it again:
> >
> > 200 seamus poppassd v1.2 hello, who are you?
> > user johndoe
> > 200 your password please.
> > pass mypw <<<======== the old one !!!
> > 200 your new password please.
> > newpass mypw3
> > 200 Password changed, thank you.
> > quit
> > 200 Bye.
> >
> > poppassd asks for the password, but it seemingly doesn't care!!! sure,
> > it runs as root, so it doesn't need it, but it should validate it!!!
> >
> > (and yes, indeed, it *did* change the password.)
> >
> > madduck@seamus:~> su johndoe
> > Password: < enter "mypw"
> > su: Authentication failure
> > Sorry.
> > madduck@seamus:~> su johndoe
> > Password: < enter "myNewpw"
> > su: Authentication failure
> > Sorry.
> > madduck@seamus:~> su johndoe
> > Password: < enter "myOtherpw"
> > johndoe@seamus:/home/madduck>
> >
> > it gets better:
> >
> > 200 seamus poppassd v1.2 hello, who are you?
> > user johndoe
> > 200 your password please.
> > pass kjsdgkl <<<======== a totally random string
> > 200 your new password please.
> > newpass abcabcab
> > 500 Invalid user or password
> >
> > aha. smartie! *but*:
> > (recall that the password is still "myOtherpw")
> >
> > 200 seamus poppassd v1.2 hello, who are you?
> > user johndoe
> > 200 your password please.
> > pass mypw2 <<<========= *a* previous one
> > 200 your new password please.
> > newpass another
> > 200 Password changed, thank you.
> > quit
> > 200 Bye.
> >
> > and it changed it again...
> >
> > ... which means that even though i bound to localhost only, any local
> > user can change any other one's password, even root's!
> >
> > but it also means that i am confused. the man page and docs say
> > specifically that the proggie uses the passwd binary, and does not edit
> > /etc/shadow by itself. but while johndoe's password was md5 hashed in
> > /etc/shadow before all this happened, look at it now:
> >
> > johndoe:ZmwcDtXWGdpLM:11354:0:99999:7:::
> >
> > that's not md5! it's crypt()!
> >
> > moreover, PAM never logged a passwd change, but poppassd logged to
> > /var/log/syslog itself.
> >
> > now all this aside, maybe someone can explain to me the algorithm of
> > poppassd: apparently, it only lets you change your password if the old
> > password you provide with "pass" is the original or any of the passwords
> > that you had once used through poppassd. if you try other strings for
> > password, poppassd will deny the update. is this an inherent "feature"
> > of the crypt() hashes, or is something thoroughly screwed up? actually,
> > further testing established that when you change a password "mypw" to
> > "mypw2", both will work, if you then change it to "mypw3", all three
> > will work. however, if it starts out as "mypw2" md5-hashed, then the
> > other two won't work. i still don't understand it, and yes, the
> > passwords are all <8 characters!
> >
> > if it uses /bin/passwd actually as root, it can't really check the old
> > password anyway, so that would explain why you can change anyone's
> > password. but then why did the third attempt, using the totally random
> > string as old password, fail???
> >
> > well, let's look at the source... which is horrible, i find. oh well. it
> > talks about /bin/passwd all over, how it will is that binary as an
> > abstraction mechanism and all that, but it *never* executes passwd!!!
> > instead, it uses newusers, with its own encoded password, which is a
> > crypt(). great abstraction layer, given that the rest of passwd is md5!
> >
> > okay, poppassd shouldn't be used anyway... well... still, this is a big
> > issue, i find... in fact, i'd almost propose kicking this package out of
> > debian!
> >
> > any comments? is this a known issue? couldn't find anything on the
> > web... nor could i find a bug against poppassd, nor are there mentions
> > in the docs.
> >
> > --
> > martin; (greetings from the heart of the sun.)
> > \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
> >
> > the nice thing about windoze is - it does not just crash,
> > it displays a dialog box and lets you press 'ok' first.
> >
>
>
>
> Todays root password is brought to you by /dev/random
>
> .-------------------------------------.
> | Steve Mickeler * Network Operations |
> +-------------------------------------+
> | Neptune Internet Services |
> `-------------------------------------'
>
> 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to:
- References:
- poppassd
- From: martin f krafft <madduck@madduck.net>
- Re: poppassd
- From: Steve Mickeler <steve@neptune.on.ca>