Re: poppassd

To: Steve Mickeler <steve@neptune.on.ca>
Cc: martin f krafft <madduck@madduck.net>, debian users <debian-user@lists.debian.org>, debian security <debian-security@lists.debian.org>, wmono@debian.org
Subject: Re: poppassd
From: Micah Anderson <micah@riseup.net>
Date: Wed, 9 Jan 2002 16:27:23 -0800
Message-id: <[🔎] 20020109162723.V6516@riseup.net>
In-reply-to: <[🔎] Pine.LNX.4.21.0201091622200.648-100000@triton.neptune.on.ca>
References: <[🔎] 20020109210300.GA28162@fishbowl.madduck.net> <[🔎] Pine.LNX.4.21.0201091622200.648-100000@triton.neptune.on.ca>

Potato has 1.2-14 as its latest for poppasswd... I agree that
v1.8-ceti would be a better solution, especially considering the
security issues you cited. What does it take to get this version into
the security updates? A bug filed?

Micah


On Wed, 09 Jan 2002, Steve Mickeler wrote:

> 
> I'm using poppassd v1.8-ceti from 
> 
> http://www.ceti.com.pl/~kravietz/prog.html
> 
> It doesnt suffer from any of the problems you described below.
> 
> 1) I cant use an old password, only the current password will work to
> change the password
> 
> 2) It is PAM aware
> 
> 3) It supports MD5 
> 
> I also make sure that my users change their password via an https form to
> step up the security between the client and server.
> 
> If you look at the poppassd-1.8-ceti source, its nice and clean and has
> some handy configuration options such as
> 
> #define POP_MIN_UID		/* minimum UID which is allowed to change
> 
> This is handy to make sure that uid 0 doesnt get its password changed by
> some clown who thinks this could be fun.
> 
> Maybe debian ought to investigate using the -ceti branch of poppassd.
> 
> 
> On Wed, 9 Jan 2002, martin f krafft wrote:
> 
> > alright, my users don't know how to do shell, and they can't change
> > passwords. now, i just upgraded to squirrelmail (upgraded because i had
> > IMP before, barf!), which has a plugin to change the password. it's TLS
> > encrypted, so not too much of a problem, but in testing out poppassd,
> > the underlying password changing daemon (usually used for Eudora), i
> > have just fainted:
> > 
> > (assume johndoe's password is mypw, and he changes to mypw2)
> > 
> >   200 seamus poppassd v1.2 hello, who are you?
> >   user johndoe
> >   200 your password please.
> >   pass mypw
> >   200 your new password please.
> >   newpass mypw2
> >   200 Password changed, thank you.
> >   quit
> >   200 Bye.
> > 
> > all good up to here:
> > 
> >   madduck@seamus:~> su johndoe
> >   Password:                       < enter "mypw"
> >   su: Authentication failure
> >   Sorry.
> >   madduck@seamus:~> su johndoe
> >   Password:                       < enter "myNewpw"
> >   johndoe@seamus:/home/madduck>
> > 
> > now sit and chill, we'll just do it again:
> > 
> >   200 seamus poppassd v1.2 hello, who are you?
> >   user johndoe
> >   200 your password please.
> >   pass mypw                        <<<======== the old one !!!
> >   200 your new password please.
> >   newpass mypw3
> >   200 Password changed, thank you.
> >   quit
> >   200 Bye.
> > 
> > poppassd asks for the password, but it seemingly doesn't care!!! sure,
> > it runs as root, so it doesn't need it, but it should validate it!!!
> > 
> > (and yes, indeed, it *did* change the password.)
> > 
> >   madduck@seamus:~> su johndoe
> >   Password:                       < enter "mypw"
> >   su: Authentication failure
> >   Sorry.
> >   madduck@seamus:~> su johndoe
> >   Password:                       < enter "myNewpw"
> >   su: Authentication failure
> >   Sorry.
> >   madduck@seamus:~> su johndoe
> >   Password:                       < enter "myOtherpw"
> >   johndoe@seamus:/home/madduck>
> > 
> > it gets better:
> > 
> >   200 seamus poppassd v1.2 hello, who are you?
> >   user johndoe
> >   200 your password please.
> >   pass kjsdgkl                     <<<======== a totally random string
> >   200 your new password please.
> >   newpass abcabcab
> >   500 Invalid user or password
> > 
> > aha. smartie! *but*:
> > (recall that the password is still "myOtherpw")
> > 
> >   200 seamus poppassd v1.2 hello, who are you?
> >   user johndoe
> >   200 your password please.
> >   pass mypw2                       <<<========= *a* previous one
> >   200 your new password please.
> >   newpass another
> >   200 Password changed, thank you.
> >   quit
> >   200 Bye.
> > 
> > and it changed it again...
> > 
> > ... which means that even though i bound to localhost only, any local
> > user can change any other one's password, even root's!
> > 
> > but it also means that i am confused. the man page and docs say
> > specifically that the proggie uses the passwd binary, and does not edit
> > /etc/shadow by itself. but while johndoe's password was md5 hashed in
> > /etc/shadow before all this happened, look at it now:
> > 
> > johndoe:ZmwcDtXWGdpLM:11354:0:99999:7:::
> > 
> > that's not md5! it's crypt()!
> > 
> > moreover, PAM never logged a passwd change, but poppassd logged to
> > /var/log/syslog itself.
> > 
> > now all this aside, maybe someone can explain to me the algorithm of
> > poppassd: apparently, it only lets you change your password if the old
> > password you provide with "pass" is the original or any of the passwords
> > that you had once used through poppassd. if you try other strings for
> > password, poppassd will deny the update. is this an inherent "feature"
> > of the crypt() hashes, or is something thoroughly screwed up? actually,
> > further testing established that when you change a password "mypw" to
> > "mypw2", both will work, if you then change it to "mypw3", all three
> > will work. however, if it starts out as "mypw2" md5-hashed, then the
> > other two won't work. i still don't understand it, and yes, the
> > passwords are all <8 characters!
> > 
> > if it uses /bin/passwd actually as root, it can't really check the old
> > password anyway, so that would explain why you can change anyone's
> > password. but then why did the third attempt, using the totally random
> > string as old password, fail???
> > 
> > well, let's look at the source... which is horrible, i find. oh well. it
> > talks about /bin/passwd all over, how it will is that binary as an
> > abstraction mechanism and all that, but it *never* executes passwd!!!
> > instead, it uses newusers, with its own encoded password, which is a
> > crypt(). great abstraction layer, given that the rest of passwd is md5!
> > 
> > okay, poppassd shouldn't be used anyway... well... still, this is a big
> > issue, i find... in fact, i'd almost propose kicking this package out of
> > debian!
> > 
> > any comments? is this a known issue? couldn't find anything on the
> > web... nor could i find a bug against poppassd, nor are there mentions
> > in the docs.
> > 
> > -- 
> > martin;              (greetings from the heart of the sun.)
> >   \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
> >   
> > the nice thing about windoze is - it does not just crash,
> > it displays a dialog box and lets you press 'ok' first.
> > 
> 
> 
> 
> Todays root password is brought to you by /dev/random
> 
> .-------------------------------------.
> | Steve Mickeler * Network Operations |
> +-------------------------------------+
> |     Neptune Internet Services       |
> `-------------------------------------'
> 
> 1024D/ACB58D4F = 0227 164B D680 9E13 9168  AE28 843F 57D7 ACB5 8D4F
> 
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: poppassd
  - From: martin f krafft <madduck@madduck.net>

References:
- poppassd
  - From: martin f krafft <madduck@madduck.net>
- Re: poppassd
  - From: Steve Mickeler <steve@neptune.on.ca>

Prev by Date: Re: kernel compiling fails on sounddriver
Next by Date: Re: Problems using Logitech Cordless Desktop Optical
Previous by thread: Re: poppassd
Next by thread: Re: poppassd
Index(es):
- Date
- Thread