NAME¶
courierpassd - change passwords from across the network using the Courier
authentication library
SYNOPSIS¶
courierpassd [-hV] [-s SERVICE] [--stderr]
courierpassd -s, --service SERVICE
courierpassd --stderr
courierpassd -h, --help
courierpassd -V, --version
DESCRIPTION¶
courierpassd allows users to change their passwords from remote locations using
the Courier authentication library. Usernames can be up to 64 characters long
while passwords can be up to 128 characters long.
courierpassd uses the poppassd protocol for obtaining authentication tokens from
the network. courierpassd is intended to be run from a super-server such as
tcpserver or xinetd.
The service specified by the -s switch will depend on the particular
authentication modules installed. Often 'login' will be appropriate but other
possibilities include 'imap' and 'pop3'. This value defaults to 'login'. See
the Courier documentation for a further explanation of this switch.
The minimum uid that courierpassd will attempt to change a password for can be
set at compile time using the configure option --with-minuid. courierpassd
will refuse to change the password of a user whose uid is below this value.
The default value is 100. This value should never be set to 0 as this would
allow root's password to be changed from a remote location.
A second configure option, --with-badpassdelay, can be used to set the delay in
seconds that courierpassd sleeps after an unsuccessful password change
attempt. This feature is designed to make brute force attacks against
passwords harder to perform. The default value is 3.
LOGGING¶
Logging is done to syslog by default or to stderr if the
--stderr switch
is used.
courierpassd logs all password change attempts whether they
are successful or not.
courierpassd does certain checks on command line arguments so it is
important to put
--stderr first in the argument list if it is to be
used in order for these checks to be logged properly.
EXAMPLE CLIENT-SERVER CONVERSATION¶
All messages passed between server and client are text based allowing a client
session to be easily mimicked with telnet. Using telnet, changing a user's
password would look like this:
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
200 courierpassd 1.1.2 hello, who are you?\r\n
user <username>\r\n
200 Your password please.\r\n
pass <current password>
200 Your new password please.\r\n
newpass <new password>\r\n
200 Password changed, thank-you.\r\n
quit\r\n
200 Bye.\r\n
Connection closed by foreign host.
BUGS¶
If you've found a bug in courierpassd, please report it to
freeware@arda.homeunix.net
SEE ALSO¶
http://www.courier-mta.org/authlib/
http://echelon.pl/pubs/poppassd.html
AUTHOR¶
courierpassd was written by Andrew St. Jean
Courier authentication library was written by Sam Varshavchik
poppassd was written by Pawel Krawczyk based on an ealier version written by
John Norstad, Roy Smith and Daniel L. Leavitt