-
-
Notifications
You must be signed in to change notification settings - Fork 3
qmail poppass.8
qmail-poppass - change passwords from across the network using the setpassword interface
qmail-poppass [ hostname checkprogram subprogram subprogram ]
qmail-poppass provides the poppassd protocol to allow users to change their passwords from remote locations.
qmail-poppass uses the checkpassword interface for authencation and uses the setpassword interface for setting the password. checkpassword interface provides a simple, uniform password-checking interface to all root applications. It is suitable for use by applications such as login, ftpd. setpassword interface provides a simple, uniform password-setting interface to all root applications. It is suitable for use by applications such as pop3d, imapd.
checkprogram, subprogram should be checkpassword compatible programs. qmail-poppass invokes checkprogram, which reads on file descriptor 3 the username, a 0 byte, the password, another 0 byte, and a final two 0 bytes. checkprogram invokes subprogram upon unsuccessful authentication, passing the same data (read earlier on descriptor 3) on a pipe with file descriptor 4 as the write end and file descriptor 3 as the read end. subprogram should read file descriptor 3 and should in turn return 0 to qmail-poppass on successful authentication. qmail-poppass will reject the authentication attempt if it receives a nonzero return value from checkprogram or subprogram. There can be multiple subprograms for a particular type of authentication. The last subprogram should typically be /bin/false or /usr/bin/false depending on your Operating System.
qmail-poppass sleeps 5 seconds after an unsuccessful password change attempt. This feature is designed to make brute force attacks against passwords harder to perform.
To be able to change passwords, qmail-poppass needs a setpassword compatible program. This can be specified by setting the PASSWORD_COMMAND environment variable.
PASSWORD_COMMAND="/usr/sbin/vsetpass /bin/false"
Logging is done to descriptor 2. qmail-poppass logs all password change attempts whether they are successful or not.
All messages passed between server and client are text based allowing a client session to be easily mimicked with telnet on an unencrypted channel. On an encrypted channel you can use tcpclient(1), using which changing a user's password would look like this:
$ tcpclient -n /etc/indimail/certs/clientcert.pem 0 poppassd
200 indimail.org hello, who are you?\r\n
user <username>\r\n
200 Your password please.\r\n
pass <current password>
200 Your new password please.\r\n
newpass <new password>\r\n
200 Password changed, thank-you.\r\n
quit\r\n
200 Bye.\r\n
Connection closed by foreign host.
If you've found a bug in qmail-poppass, please report it to [email protected]
AUTHOR qmail-poppass is based on poppassd and was written by Manvendra Bhangui <[email protected]> poppassd was written by Pawel Krawczyk based on an ealier version written by John Norstad Roy Smith and Daniel L. Leavitt