I'm using poppassd v1.8-ceti from http://www.ceti.com.pl/~kravietz/prog.html
It doesnt suffer from any of the problems you described below. 1) I cant use an old password, only the current password will work to change the password 2) It is PAM aware 3) It supports MD5 I also make sure that my users change their password via an https form to step up the security between the client and server. If you look at the poppassd-1.8-ceti source, its nice and clean and has some handy configuration options such as #define POP_MIN_UID /* minimum UID which is allowed to change This is handy to make sure that uid 0 doesnt get its password changed by some clown who thinks this could be fun. Maybe debian ought to investigate using the -ceti branch of poppassd. On Wed, 9 Jan 2002, martin f krafft wrote: > alright, my users don't know how to do shell, and they can't change > passwords. now, i just upgraded to squirrelmail (upgraded because i had > IMP before, barf!), which has a plugin to change the password. it's TLS > encrypted, so not too much of a problem, but in testing out poppassd, > the underlying password changing daemon (usually used for Eudora), i > have just fainted: > > (assume johndoe's password is mypw, and he changes to mypw2) > > 200 seamus poppassd v1.2 hello, who are you? > user johndoe > 200 your password please. > pass mypw > 200 your new password please. > newpass mypw2 > 200 Password changed, thank you. > quit > 200 Bye. > > all good up to here: > > [EMAIL PROTECTED]:~> su johndoe > Password: < enter "mypw" > su: Authentication failure > Sorry. > [EMAIL PROTECTED]:~> su johndoe > Password: < enter "myNewpw" > [EMAIL PROTECTED]:/home/madduck> > > now sit and chill, we'll just do it again: > > 200 seamus poppassd v1.2 hello, who are you? > user johndoe > 200 your password please. > pass mypw <<<======== the old one !!! > 200 your new password please. > newpass mypw3 > 200 Password changed, thank you. > quit > 200 Bye. > > poppassd asks for the password, but it seemingly doesn't care!!! sure, > it runs as root, so it doesn't need it, but it should validate it!!! > > (and yes, indeed, it *did* change the password.) > > [EMAIL PROTECTED]:~> su johndoe > Password: < enter "mypw" > su: Authentication failure > Sorry. > [EMAIL PROTECTED]:~> su johndoe > Password: < enter "myNewpw" > su: Authentication failure > Sorry. > [EMAIL PROTECTED]:~> su johndoe > Password: < enter "myOtherpw" > [EMAIL PROTECTED]:/home/madduck> > > it gets better: > > 200 seamus poppassd v1.2 hello, who are you? > user johndoe > 200 your password please. > pass kjsdgkl <<<======== a totally random string > 200 your new password please. > newpass abcabcab > 500 Invalid user or password > > aha. smartie! *but*: > (recall that the password is still "myOtherpw") > > 200 seamus poppassd v1.2 hello, who are you? > user johndoe > 200 your password please. > pass mypw2 <<<========= *a* previous one > 200 your new password please. > newpass another > 200 Password changed, thank you. > quit > 200 Bye. > > and it changed it again... > > ... which means that even though i bound to localhost only, any local > user can change any other one's password, even root's! > > but it also means that i am confused. the man page and docs say > specifically that the proggie uses the passwd binary, and does not edit > /etc/shadow by itself. but while johndoe's password was md5 hashed in > /etc/shadow before all this happened, look at it now: > > johndoe:ZmwcDtXWGdpLM:11354:0:99999:7::: > > that's not md5! it's crypt()! > > moreover, PAM never logged a passwd change, but poppassd logged to > /var/log/syslog itself. > > now all this aside, maybe someone can explain to me the algorithm of > poppassd: apparently, it only lets you change your password if the old > password you provide with "pass" is the original or any of the passwords > that you had once used through poppassd. if you try other strings for > password, poppassd will deny the update. is this an inherent "feature" > of the crypt() hashes, or is something thoroughly screwed up? actually, > further testing established that when you change a password "mypw" to > "mypw2", both will work, if you then change it to "mypw3", all three > will work. however, if it starts out as "mypw2" md5-hashed, then the > other two won't work. i still don't understand it, and yes, the > passwords are all <8 characters! > > if it uses /bin/passwd actually as root, it can't really check the old > password anyway, so that would explain why you can change anyone's > password. but then why did the third attempt, using the totally random > string as old password, fail??? > > well, let's look at the source... which is horrible, i find. oh well. it > talks about /bin/passwd all over, how it will is that binary as an > abstraction mechanism and all that, but it *never* executes passwd!!! > instead, it uses newusers, with its own encoded password, which is a > crypt(). great abstraction layer, given that the rest of passwd is md5! > > okay, poppassd shouldn't be used anyway... well... still, this is a big > issue, i find... in fact, i'd almost propose kicking this package out of > debian! > > any comments? is this a known issue? couldn't find anything on the > web... nor could i find a bug against poppassd, nor are there mentions > in the docs. > > -- > martin; (greetings from the heart of the sun.) > \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] > > the nice thing about windoze is - it does not just crash, > it displays a dialog box and lets you press 'ok' first. > Todays root password is brought to you by /dev/random .-------------------------------------. | Steve Mickeler * Network Operations | +-------------------------------------+ | Neptune Internet Services | `-------------------------------------' 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F
