You are here

How to enable password changing on remote host in roundcube on FreeBSD

Roundcube

Roundcube comes with a password change module, through it's disabled by default. Configuring it to change passwords on another server's [geshifilter-code]passwd[/geshifilter-code] database is another matter. The instructions only cover using [geshifilter-code]chpasswd[/geshifilter-code] on a Linux server to update the local password database.

On the mail server:

  • [geshifilter-code]adduser roundcube[/geshifilter-code], set a shell and create a home directory.
  • [geshifilter-code]visudo[/geshifilter-code], adding [geshifilter-code]roundcube ALL = NOPASSWD: /usr/sbin/pw[/geshifilter-code]

On the web server:

  • [geshifilter-code]chpass www[/geshifilter-code], assigning a shell to allow logins.
  • [geshifilter-code]su www[/geshifilter-code], impersonate www.
  • [geshifilter-code]ssh-keygen -t rsa[/geshifilter-code], create an RSA private/public key pair.
  • [geshifilter-code]scp /home/www/.ssh/id_rsa.pub roundcube@<em>remotehost</em>/~/.ssh/authorized_keys[/geshifilter-code], copying the public key to the mail server to allow passwordless logins.

The [geshifilter-code]chpasswd[/geshifilter-code] driver ([geshifilter-code]/www/roundcube/plugins/password/drivers/chpasswd.php[/geshifilter-code] will require modification.

[geshifilter-php]function password_save($currpass, $newpass) { $cmd = rcmail::get_instance()-&gt;config-&gt;get('password_chpasswd_cmd'); $username = $_SESSION['username']; $handle = popen($cmd, "w"); fwrite($handle, "$newpass "); if (pclose($handle) == 0) { return PASSWORD_SUCCESS; } else { raise_error(array( 'code' =&gt; 600, 'type' =&gt; 'php', 'file' =&gt; __FILE__, 'line' =&gt; __LINE__, 'message' =&gt; "Password plugin: Unable to execute $cmd" ), true, false); } return PASSWORD_ERROR; }[/geshifilter-php]

And so will this line in [geshifilter-code]/www/roundcube/plugins/password/config.inc.php[/geshifilter-code]

[geshifilter-php]// chpasswd Driver options // --------------------- // Command to use $rcmail_config['password_chpasswd_cmd'] = "ssh roundcube@mailhost sudo pw usermod -n {$_SESSION['username']} -h 0 2&gt; /dev/null";[/geshifilter-php]

Comments

Be carefull with this tutorial. The author are saying to do a vulnerable server. Do not a ssh user without password, never!

I'm not entirely sure I understand what you mean, but using SSH public/private key pairs and disabling password authentication is far more secure than using a password.

If you thought I was just authenticating with an empty password, yes, that would be a bad idea.

I cannot recommend scripting remote authentication using a password saved in a script.

Pages

Add new comment

Simple Copyright Policy: If you want to reproduce anything on this site, get my permission first.