published by Yvan on August 2, 2012 - 2:05pm
Roundcube comes with a password change module, through it's disabled by default. Configuring it to change passwords on another server's [geshifilter-code]passwd[/geshifilter-code] database is another matter. The instructions only cover using [geshifilter-code]chpasswd[/geshifilter-code] on a Linux server to update the local password database.
On the mail server:
- [geshifilter-code]adduser roundcube[/geshifilter-code], set a shell and create a home directory.
- [geshifilter-code]visudo[/geshifilter-code], adding [geshifilter-code]roundcube ALL = NOPASSWD: /usr/sbin/pw[/geshifilter-code]
On the web server:
- [geshifilter-code]chpass www[/geshifilter-code], assigning a shell to allow logins.
- [geshifilter-code]su www[/geshifilter-code], impersonate www.
- [geshifilter-code]ssh-keygen -t rsa[/geshifilter-code], create an RSA private/public key pair.
- [geshifilter-code]scp /home/www/.ssh/id_rsa.pub roundcube@<em>remotehost</em>/~/.ssh/authorized_keys[/geshifilter-code], copying the public key to the mail server to allow passwordless logins.
The [geshifilter-code]chpasswd[/geshifilter-code] driver ([geshifilter-code]/www/roundcube/plugins/password/drivers/chpasswd.php[/geshifilter-code] will require modification.
[geshifilter-php]function password_save($currpass, $newpass) {
$cmd = rcmail::get_instance()->config->get('password_chpasswd_cmd');
$username = $_SESSION['username'];
$handle = popen($cmd, "w");
fwrite($handle, "$newpass
");
if (pclose($handle) == 0) { return PASSWORD_SUCCESS; }
else {
raise_error(array( 'code' => 600, 'type' => 'php', 'file' => __FILE__, 'line' => __LINE__, 'message' => "Password plugin: Unable to execute $cmd" ), true, false);
}
return PASSWORD_ERROR;
}[/geshifilter-php]
And so will this line in [geshifilter-code]/www/roundcube/plugins/password/config.inc.php[/geshifilter-code]
[geshifilter-php]// chpasswd Driver options
// ---------------------
// Command to use
$rcmail_config['password_chpasswd_cmd'] = "ssh roundcube@mailhost sudo pw usermod -n {$_SESSION['username']} -h 0 2> /dev/null";[/geshifilter-php]
Comments
Fantà stic
Security Issues
Be carefull with this tutorial. The author are saying to do a vulnerable server. Do not a ssh user without password, never!
SSH keys
I'm not entirely sure I understand what you mean, but using SSH public/private key pairs and disabling password authentication is far more secure than using a password.
If you thought I was just authenticating with an empty password, yes, that would be a bad idea.
I cannot recommend scripting remote authentication using a password saved in a script.
Pages
Add new comment