An Eudora and NUPOP change password server. Version 1.8.1 with PAM support. HOW IT WORKS? The idea is that poppassd daemon is never accessible from the outside. This is intended to work only with WWW interface, such as PopPass by Jerry Workman . It is IMHO more secure and less complicated than using SUID CGI scripts or CGI wrappers to /bin/passwd. User fills a WWW form which is then processed by PopPass program. PopPass checks if the data seems to be correct (passwords are same and long enough), connects to the poppassd daemon which performs the real password change. For better security it is recommended to configure PopPass to connect to poppassd on localhost and block access to the port 106 from other machines. This is described below. INSTALLATION: You need PAM libraries and header files to compile poppassd, on most Linux distributions they are provided in packages named pam-devel, libpam-dev or similiar. 1. Edit Makefile if necessary and type 'make'. 2. Install in /usr/sbin, owned by root and executable only by root. 3. Add to /etc/inetd.conf: poppassd stream tcp nowait root /usr/sbin/tcpd poppassd 4. Add do /etc/services: poppassd 106/tcp 5. Configure tcpd to refuse connection to poppassd from all hosts but localhost. I have tcpd compiled with -DOPTIONS and my /etc/hosts.deny entry looks like: poppassd: nobody@localhost: allow poppassd: ALL: deny You may need to change 'nobody' to the user your httpd is running as. It's also worth considering to block all incoming TCP packets to port 106 on your router. 6. Add to /etc/syslog.conf: local4.err /var/log/poppassd 7. Install a poppassd client in your web server (some are available in ftp://ftp.ceti.pl/pub/linux/) CREDITS Based on poppassd by John Norstad , Roy Smith and Daniel L. Leavitt . Shadow file update code taken from shadow-960810 by John F. Haugh II and Marek Michalkiewicz This version was modified to work directly on Linux shadow files. It includes a few additions like delay after incorrect password. Version 1.5 fixes bug which caused usernames containing characters like underscore '_' to be ignored. I've also added new compilation flag -DALLOW_NULL_PASSWORDS, which makes exactly what it means ;) I've needed it for automated accounts creation. Don't use it if unless you really need it - this can be a security hole.I Version 1.7 uses PAM. Thanks to Mikolaj Rydzewski for giving me a clue how to use PAM conversion function in his wwwpasswd. Version 1.8 fixes minor bugs. Version 1.8.1 has only cosmetical changes, like updated documentation. -- Pawel Krawczyk http://echelon.pl/kravietz/