An Eudora and NUPOP change password server.
Version 1.8.5 with PAM support.
HOW IT WORKS?
The idea is that poppassd daemon is never accessible from the outside.
This is intended to work only with WWW interface, such as PopPass by
Jerry Workman <firstname.lastname@example.org>. It is IMHO more secure and less
complicated than using SUID CGI scripts or CGI wrappers to /bin/passwd.
User fills a WWW form which is then processed by PopPass program.
PopPass checks if the data seems to be correct (passwords are same
and long enough), connects to the poppassd daemon which performs the
real password change.
For better security it is recommended to configure PopPass to connect
to poppassd on localhost and block access to the port 106 from other
machines. This is described below.
By default poppassd allows alphanumeric (no spaces allowed) usernames up
to 59 characters and alphanumeric (spaces allowed) passwords up to
123 characters as well. This can be changed in source code.
You need PAM libraries and header files to compile poppassd, on
most Linux distributions they are provided in packages named
pam-devel, libpam-dev or similiar.
1. Edit Makefile if necessary and type 'make'.
2. Install in /usr/sbin, owned by root and executable only by root.
3. If you're using inetd, add to /etc/inetd.conf:
poppassd stream tcp nowait root /usr/sbin/tcpd poppassd
If you're using xinetd, add a file /etc/xinet.d/poppassd:
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/poppassd
log_on_success += HOST DURATION
log_on_failure += HOST
4. Add do /etc/services:
5. Configure tcpd to refuse connection to poppassd from all hosts
but localhost. I have tcpd compiled with -DOPTIONS and my /etc/hosts.deny
entry looks like:
poppassd: nobody@localhost: allow
poppassd: ALL: deny
6. Add a file /etc/pam.d/poppassd:
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so retry=3
password required /lib/security/pam_pwdb.so use_authtok nullok
You may need to change 'nobody' to the user your httpd is running as.
To use the user@ form you also need to have identd running on your
system. If you haven't, simply use "localhost: allow" rule.
It's also worth considering to block all incoming TCP packets to port
106 on your router, if you're only using poppassd to change passwords
6. Add to /etc/syslog.conf:
7. Install a poppassd client in your web server (some are available
Based on poppassd by John Norstad <email@example.com>,
Roy Smith <firstname.lastname@example.org> and Daniel L. Leavitt <email@example.com>.
Shadow file update code taken from shadow-960810 by John F. Haugh
II <firstname.lastname@example.org> and Marek Michalkiewicz
This version was modified to work directly on Linux shadow files.
It includes a few additions like delay after incorrect password.
Version 1.5 fixes bug which caused usernames containing characters
like underscore '_' to be ignored. I've also added new compilation
flag -DALLOW_NULL_PASSWORDS, which makes exactly what it means ;)
I've needed it for automated accounts creation. Don't use it if
unless you really need it - this can be a security hole.I
Version 1.7 uses PAM. Thanks to Mikolaj Rydzewski <email@example.com>
for giving me a clue how to use PAM conversion function in his wwwpasswd.
Version 1.8 fixes minor bugs.
Version 1.8.1 has only cosmetical changes, like updated documentation.
Version 1.8.2 has some cleanups in maximum username and password length
checking and more verbose logging. It also supports passwords
with space inside thanks to suggestion from Adam Conrad.
Version 1.8.3 has changed the default PAM service name from "passwd" to
"poppassd" (Radoslaw Antoniuk) and some more cleanups on password
and username length (Mihail Vidiassov). Also added configuration
hints from Brian Kircher.
Version 1.8.4 Steven Danz fixes one bug where PAM errors (like cracklib
complaints) were actually not preventing the user from changing
the password. Now, if cracklib reports a weak password, it
won't be accepted. To return to the previous default behaviour,
remove cracklib from poppassd PAM configuration.
Version 1.8.5 small fixes to compile under gcc-3.3 (varargs vs stdarg),
reported by many people.
Pawel Krawczyk http://echelon.pl/kravietz/