You are here

How to enable password changing on remote host in roundcube on FreeBSD


Roundcube comes with a password change module, through it's disabled by default. Configuring it to change passwords on another server's passwd database is another matter. The instructions only cover using chpasswd on a Linux server to update the local password database.

On the mail server:

  • adduser roundcube, set a shell and create a home directory.
  • visudo, adding roundcube ALL = NOPASSWD: /usr/sbin/pw

On the web server:

  • chpass www, assigning a shell to allow logins.
  • su www, impersonate www.
  • ssh-keygen -t rsa, create an RSA private/public key pair.
  • scp /home/www/.ssh/ roundcube@<em>remotehost</em>/~/.ssh/authorized_keys, copying the public key to the mail server to allow passwordless logins.

The chpasswd driver (/www/roundcube/plugins/password/drivers/chpasswd.php will require modification.

function password_save($currpass, $newpass) { 
    $cmd = rcmail::get_instance()-&gt;config-&gt;get('password_chpasswd_cmd'); 
    $username = $_SESSION['username']; 
    $handle = popen($cmd, "w"); 
    fwrite($handle, "$newpass
    if (pclose($handle) == 0) { return PASSWORD_SUCCESS; }     
    else { 
        raise_error(array( 'code' =&gt; 600, 'type' =&gt; 'php', 'file' =&gt; __FILE__, 'line' =&gt; __LINE__, 'message' =&gt; "Password plugin: Unable to execute $cmd" ), true, false); 
    return PASSWORD_ERROR; 

And so will this line in /www/roundcube/plugins/password/

// chpasswd Driver options 
// --------------------- 
// Command to use 
$rcmail_config['password_chpasswd_cmd'] = "ssh roundcube@mailhost sudo pw usermod -n {$_SESSION['username']} -h 0 2&gt; /dev/null";


Be carefull with this tutorial. The author are saying to do a vulnerable server. Do not a ssh user without password, never!

I'm not entirely sure I understand what you mean, but using SSH public/private key pairs and disabling password authentication is far more secure than using a password.

If you thought I was just authenticating with an empty password, yes, that would be a bad idea.

I cannot recommend scripting remote authentication using a password saved in a script.


Add new comment

Simple Copyright Policy: If you want to reproduce anything on this site, get my permission first.