Potato has 1.2-14 as its latest for poppasswd... I agree that v1.8-ceti would be a better solution, especially considering the security issues you cited. What does it take to get this version into the security updates? A bug filed?
Micah On Wed, 09 Jan 2002, Steve Mickeler wrote: > > I'm using poppassd v1.8-ceti from > > http://www.ceti.com.pl/~kravietz/prog.html > > It doesnt suffer from any of the problems you described below. > > 1) I cant use an old password, only the current password will work to > change the password > > 2) It is PAM aware > > 3) It supports MD5 > > I also make sure that my users change their password via an https form to > step up the security between the client and server. > > If you look at the poppassd-1.8-ceti source, its nice and clean and has > some handy configuration options such as > > #define POP_MIN_UID /* minimum UID which is allowed to change > > This is handy to make sure that uid 0 doesnt get its password changed by > some clown who thinks this could be fun. > > Maybe debian ought to investigate using the -ceti branch of poppassd. > > > On Wed, 9 Jan 2002, martin f krafft wrote: > > > alright, my users don't know how to do shell, and they can't change > > passwords. now, i just upgraded to squirrelmail (upgraded because i had > > IMP before, barf!), which has a plugin to change the password. it's TLS > > encrypted, so not too much of a problem, but in testing out poppassd, > > the underlying password changing daemon (usually used for Eudora), i > > have just fainted: > > > > (assume johndoe's password is mypw, and he changes to mypw2) > > > > 200 seamus poppassd v1.2 hello, who are you? > > user johndoe > > 200 your password please. > > pass mypw > > 200 your new password please. > > newpass mypw2 > > 200 Password changed, thank you. > > quit > > 200 Bye. > > > > all good up to here: > > > > [EMAIL PROTECTED]:~> su johndoe > > Password: < enter "mypw" > > su: Authentication failure > > Sorry. > > [EMAIL PROTECTED]:~> su johndoe > > Password: < enter "myNewpw" > > [EMAIL PROTECTED]:/home/madduck> > > > > now sit and chill, we'll just do it again: > > > > 200 seamus poppassd v1.2 hello, who are you? > > user johndoe > > 200 your password please. > > pass mypw <<<======== the old one !!! > > 200 your new password please. > > newpass mypw3 > > 200 Password changed, thank you. > > quit > > 200 Bye. > > > > poppassd asks for the password, but it seemingly doesn't care!!! sure, > > it runs as root, so it doesn't need it, but it should validate it!!! > > > > (and yes, indeed, it *did* change the password.) > > > > [EMAIL PROTECTED]:~> su johndoe > > Password: < enter "mypw" > > su: Authentication failure > > Sorry. > > [EMAIL PROTECTED]:~> su johndoe > > Password: < enter "myNewpw" > > su: Authentication failure > > Sorry. > > [EMAIL PROTECTED]:~> su johndoe > > Password: < enter "myOtherpw" > > [EMAIL PROTECTED]:/home/madduck> > > > > it gets better: > > > > 200 seamus poppassd v1.2 hello, who are you? > > user johndoe > > 200 your password please. > > pass kjsdgkl <<<======== a totally random string > > 200 your new password please. > > newpass abcabcab > > 500 Invalid user or password > > > > aha. smartie! *but*: > > (recall that the password is still "myOtherpw") > > > > 200 seamus poppassd v1.2 hello, who are you? > > user johndoe > > 200 your password please. > > pass mypw2 <<<========= *a* previous one > > 200 your new password please. > > newpass another > > 200 Password changed, thank you. > > quit > > 200 Bye. > > > > and it changed it again... > > > > ... which means that even though i bound to localhost only, any local > > user can change any other one's password, even root's! > > > > but it also means that i am confused. the man page and docs say > > specifically that the proggie uses the passwd binary, and does not edit > > /etc/shadow by itself. but while johndoe's password was md5 hashed in > > /etc/shadow before all this happened, look at it now: > > > > johndoe:ZmwcDtXWGdpLM:11354:0:99999:7::: > > > > that's not md5! it's crypt()! > > > > moreover, PAM never logged a passwd change, but poppassd logged to > > /var/log/syslog itself. > > > > now all this aside, maybe someone can explain to me the algorithm of > > poppassd: apparently, it only lets you change your password if the old > > password you provide with "pass" is the original or any of the passwords > > that you had once used through poppassd. if you try other strings for > > password, poppassd will deny the update. is this an inherent "feature" > > of the crypt() hashes, or is something thoroughly screwed up? actually, > > further testing established that when you change a password "mypw" to > > "mypw2", both will work, if you then change it to "mypw3", all three > > will work. however, if it starts out as "mypw2" md5-hashed, then the > > other two won't work. i still don't understand it, and yes, the > > passwords are all <8 characters! > > > > if it uses /bin/passwd actually as root, it can't really check the old > > password anyway, so that would explain why you can change anyone's > > password. but then why did the third attempt, using the totally random > > string as old password, fail??? > > > > well, let's look at the source... which is horrible, i find. oh well. it > > talks about /bin/passwd all over, how it will is that binary as an > > abstraction mechanism and all that, but it *never* executes passwd!!! > > instead, it uses newusers, with its own encoded password, which is a > > crypt(). great abstraction layer, given that the rest of passwd is md5! > > > > okay, poppassd shouldn't be used anyway... well... still, this is a big > > issue, i find... in fact, i'd almost propose kicking this package out of > > debian! > > > > any comments? is this a known issue? couldn't find anything on the > > web... nor could i find a bug against poppassd, nor are there mentions > > in the docs. > > > > -- > > martin; (greetings from the heart of the sun.) > > \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] > > > > the nice thing about windoze is - it does not just crash, > > it displays a dialog box and lets you press 'ok' first. > > > > > > Todays root password is brought to you by /dev/random > > .-------------------------------------. > | Steve Mickeler * Network Operations | > +-------------------------------------+ > | Neptune Internet Services | > `-------------------------------------' > > 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
