An Eudora and NUPOP change password server.
Version 1.8.1 with PAM support.
HOW IT WORKS?
The idea is that poppassd daemon is never accessible from the outside.
This is intended to work only with WWW interface, such as PopPass by
Jerry Workman <firstname.lastname@example.org>. It is IMHO more secure and less
complicated than using SUID CGI scripts or CGI wrappers to /bin/passwd.
User fills a WWW form which is then processed by PopPass program.
PopPass checks if the data seems to be correct (passwords are same
and long enough), connects to the poppassd daemon which performs the
real password change.
For better security it is recommended to configure PopPass to connect
to poppassd on localhost and block access to the port 106 from other
machines. This is described below.
You need PAM libraries and header files to compile poppassd, on
most Linux distributions they are provided in packages named
pam-devel, libpam-dev or similiar.
1. Edit Makefile if necessary and type 'make'.
2. Install in /usr/sbin, owned by root and executable only by root.
3. Add to /etc/inetd.conf:
poppassd stream tcp nowait root /usr/sbin/tcpd poppassd
4. Add do /etc/services:
5. Configure tcpd to refuse connection to poppassd from all hosts
but localhost. I have tcpd compiled with -DOPTIONS and my /etc/hosts.deny
entry looks like:
poppassd: nobody@localhost: allow
poppassd: ALL: deny
You may need to change 'nobody' to the user your httpd is running as.
It's also worth considering to block all incoming TCP packets to port
106 on your router.
6. Add to /etc/syslog.conf:
7. Install a poppassd client in your web server (some are available
Based on poppassd by John Norstad <email@example.com>,
Roy Smith <firstname.lastname@example.org> and Daniel L. Leavitt <email@example.com>.
Shadow file update code taken from shadow-960810 by John F. Haugh
II <firstname.lastname@example.org> and Marek Michalkiewicz
This version was modified to work directly on Linux shadow files.
It includes a few additions like delay after incorrect password.
Version 1.5 fixes bug which caused usernames containing characters
like underscore '_' to be ignored. I've also added new compilation
flag -DALLOW_NULL_PASSWORDS, which makes exactly what it means ;)
I've needed it for automated accounts creation. Don't use it if
unless you really need it - this can be a security hole.I
Version 1.7 uses PAM. Thanks to Mikolaj Rydzewski <email@example.com>
for giving me a clue how to use PAM conversion function in his wwwpasswd.
Version 1.8 fixes minor bugs.
Version 1.8.1 has only cosmetical changes, like updated documentation.
Pawel Krawczyk <firstname.lastname@example.org>