alright, my users don't know how to do shell, and they can't change passwords. now, i just upgraded to squirrelmail (upgraded because i had IMP before, barf!), which has a plugin to change the password. it's TLS encrypted, so not too much of a problem, but in testing out poppassd, the underlying password changing daemon (usually used for Eudora), i have just fainted:
(assume johndoe's password is mypw, and he changes to mypw2) 200 seamus poppassd v1.2 hello, who are you? user johndoe 200 your password please. pass mypw 200 your new password please. newpass mypw2 200 Password changed, thank you. quit 200 Bye. all good up to here: [EMAIL PROTECTED]:~> su johndoe Password: < enter "mypw" su: Authentication failure Sorry. [EMAIL PROTECTED]:~> su johndoe Password: < enter "myNewpw" [EMAIL PROTECTED]:/home/madduck> now sit and chill, we'll just do it again: 200 seamus poppassd v1.2 hello, who are you? user johndoe 200 your password please. pass mypw <<<======== the old one !!! 200 your new password please. newpass mypw3 200 Password changed, thank you. quit 200 Bye. poppassd asks for the password, but it seemingly doesn't care!!! sure, it runs as root, so it doesn't need it, but it should validate it!!! (and yes, indeed, it *did* change the password.) [EMAIL PROTECTED]:~> su johndoe Password: < enter "mypw" su: Authentication failure Sorry. [EMAIL PROTECTED]:~> su johndoe Password: < enter "myNewpw" su: Authentication failure Sorry. [EMAIL PROTECTED]:~> su johndoe Password: < enter "myOtherpw" [EMAIL PROTECTED]:/home/madduck> it gets better: 200 seamus poppassd v1.2 hello, who are you? user johndoe 200 your password please. pass kjsdgkl <<<======== a totally random string 200 your new password please. newpass abcabcab 500 Invalid user or password aha. smartie! *but*: (recall that the password is still "myOtherpw") 200 seamus poppassd v1.2 hello, who are you? user johndoe 200 your password please. pass mypw2 <<<========= *a* previous one 200 your new password please. newpass another 200 Password changed, thank you. quit 200 Bye. and it changed it again... ... which means that even though i bound to localhost only, any local user can change any other one's password, even root's! but it also means that i am confused. the man page and docs say specifically that the proggie uses the passwd binary, and does not edit /etc/shadow by itself. but while johndoe's password was md5 hashed in /etc/shadow before all this happened, look at it now: johndoe:ZmwcDtXWGdpLM:11354:0:99999:7::: that's not md5! it's crypt()! moreover, PAM never logged a passwd change, but poppassd logged to /var/log/syslog itself. now all this aside, maybe someone can explain to me the algorithm of poppassd: apparently, it only lets you change your password if the old password you provide with "pass" is the original or any of the passwords that you had once used through poppassd. if you try other strings for password, poppassd will deny the update. is this an inherent "feature" of the crypt() hashes, or is something thoroughly screwed up? actually, further testing established that when you change a password "mypw" to "mypw2", both will work, if you then change it to "mypw3", all three will work. however, if it starts out as "mypw2" md5-hashed, then the other two won't work. i still don't understand it, and yes, the passwords are all <8 characters! if it uses /bin/passwd actually as root, it can't really check the old password anyway, so that would explain why you can change anyone's password. but then why did the third attempt, using the totally random string as old password, fail??? well, let's look at the source... which is horrible, i find. oh well. it talks about /bin/passwd all over, how it will is that binary as an abstraction mechanism and all that, but it *never* executes passwd!!! instead, it uses newusers, with its own encoded password, which is a crypt(). great abstraction layer, given that the rest of passwd is md5! okay, poppassd shouldn't be used anyway... well... still, this is a big issue, i find... in fact, i'd almost propose kicking this package out of debian! any comments? is this a known issue? couldn't find anything on the web... nor could i find a bug against poppassd, nor are there mentions in the docs. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] the nice thing about windoze is - it does not just crash, it displays a dialog box and lets you press 'ok' first.
pgpfDOwjbVqAG.pgp
Description: PGP signature
