File: README

package info (click to toggle)
poppassd 1.8.5-1
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 72 kB
  • ctags: 27
  • sloc: ansic: 191; makefile: 55; sh: 6
file content (129 lines) | stat: -rw-r--r-- 4,720 bytes parent folder | download | duplicates (5)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
An Eudora and NUPOP change password server.
Version 1.8.5 with PAM support.

HOW IT WORKS?

The idea is that poppassd daemon is never accessible from the outside.
This is intended to work only with WWW interface, such as PopPass by
Jerry Workman <jerry@newwave.net>. It is IMHO more secure and less
complicated than using SUID CGI scripts or CGI wrappers to /bin/passwd.

User fills a WWW form which is then processed by PopPass program.
PopPass checks if the data seems to be correct (passwords are same
and long enough), connects to the poppassd daemon which performs the
real password change.

For better security it is recommended to configure PopPass to connect
to poppassd on localhost and block access to the port 106 from other
machines. This is described below.

By default poppassd allows alphanumeric (no spaces allowed) usernames up
to 59 characters and alphanumeric (spaces allowed) passwords up to
123 characters as well. This can be changed in source code.
 
INSTALLATION:

You need PAM libraries and header files to compile poppassd, on
most Linux distributions they are provided in packages named
pam-devel, libpam-dev or similiar.
 
1. Edit Makefile if necessary and type 'make'. 

2. Install in /usr/sbin, owned by root and executable only by root.
 
3. If you're using inetd, add to /etc/inetd.conf:
 
        poppassd stream tcp nowait root /usr/sbin/tcpd poppassd

   If you're using xinetd, add a file /etc/xinet.d/poppassd:

        service poppassd
	{
        disable = no
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/poppassd
        log_on_success  += HOST DURATION
        log_on_failure  += HOST
	}

4. Add do /etc/services:
  
        poppassd	106/tcp

5. Configure tcpd to refuse connection to poppassd from all hosts
but localhost. I have tcpd compiled with -DOPTIONS and my /etc/hosts.deny
entry looks like:

        poppassd: nobody@localhost: allow
        poppassd: ALL: deny

6. Add a file /etc/pam.d/poppassd:

	#%PAM-1.0
	auth       required     /lib/security/pam_pwdb.so shadow nullok
	account    required     /lib/security/pam_pwdb.so
	password   required     /lib/security/pam_cracklib.so retry=3
	password   required     /lib/security/pam_pwdb.so use_authtok nullok

You may need to change 'nobody' to the user your httpd is running as.
To use the user@ form you also need to have identd running on your
system. If you haven't, simply use "localhost: allow" rule.

It's also worth considering to block all incoming TCP packets to port
106 on your router, if you're only using poppassd to change passwords
from web.

6. Add to /etc/syslog.conf:
 
        local4.err	/var/log/poppassd
 
7. Install a poppassd client in your web server (some are available
   in ftp://ftp.ceti.pl/pub/linux/)

CREDITS

Based on poppassd by John Norstad <j-norstad@nwu.edu>,
Roy Smith <roy@nyu.edu> and Daniel L. Leavitt <dll@mitre.org>.

Shadow file update code taken from shadow-960810 by John F. Haugh
II <jfh@rpp386.cactus.org> and Marek Michalkiewicz
<marekm@i17linuxb.ists.pwr.wroc.pl>

This version was modified to work directly on Linux shadow files.
It includes a few additions like delay after incorrect password.

Version 1.5 fixes bug which caused usernames containing characters
like underscore '_' to be ignored. I've also added new compilation
flag -DALLOW_NULL_PASSWORDS, which makes exactly what it means ;)
I've needed it for automated accounts creation. Don't use it if
unless you really need it - this can be a security hole.I

Version 1.7 uses PAM. Thanks to Mikolaj Rydzewski <mikir@kki.net.pl>
for giving me a clue how to use PAM conversion function in his wwwpasswd.

Version 1.8 fixes minor bugs.

Version 1.8.1 has only cosmetical changes, like updated documentation.

Version 1.8.2 has some cleanups in maximum username and password length
	checking and more verbose logging. It also supports passwords
	with space inside thanks to suggestion from Adam Conrad.

Version 1.8.3 has changed the default PAM service name from "passwd" to
	"poppassd" (Radoslaw Antoniuk) and some more cleanups on password
	and username length (Mihail Vidiassov). Also added configuration
	hints from Brian Kircher.

Version 1.8.4 Steven Danz fixes one bug where PAM errors (like cracklib
	complaints) were actually not preventing the user from changing
	the password.  Now, if cracklib reports a weak password, it
	won't be accepted.  To return to the previous default behaviour,
	remove cracklib from poppassd PAM configuration.

Version 1.8.5 small fixes to compile under gcc-3.3 (varargs vs stdarg),
	reported by many people.

--
Pawel Krawczyk http://echelon.pl/kravietz/