An Eudora and NUPOP change password server that allows user password change on PAM based systems via a simple POP3-like protocol. This daemon is frequently used as a backend for web based password change interfaces.
Poppassd operates over standard input and output exclusively. On modern Linux servers the network socket is expected to be handled entirely by systemd.socket. On legacy FreeBSD it's expected to be run from inetd and from xinetd on legacy Linux servers.
Authentication and actual password change are handled exclusively by PAM on all systems.
In the intended usage model of remote network applications or local web applications connect to the
poppassd port over TCP, which creates a clear trust boundary and avoids potentially dangerous
shell script operations using SUID or
expect as seen in some other solutions to the same problem.
On modern Linux servers the
poppassd.service uses a reasonable set of systemd hardening
features to further reduce the attack surface.
Poppassd uses PAM definitions from
/etc/pam.d/poppassd for authentication of users and password change. Any local policies such as LDAP authentication, login times, password quality enforcement
should be configured there per PAM System Administrator's Guide. Default PAM configuration does not have any provisions to
restrict number of login attempts per user, so this must be configured in PAM as well. The daemon itself however introduces a delay after each unsuccessful login attempt which to some
extent reduces effectiveness of password bruteforcing.
systemctl edit --full poppassd.socket to change default listening port (default
106/tcp) or bind address (default
Poppassd implements a simple, text based protocol for user authentication and password change:
200 poppassd USER username 200 Your password please PASS old_password 200 Your new password please NEWPASS new_password 200 Password changed QUIT 200 Bye
Server responses starting with
200 are successs,
500 are errors:
200 poppassd USER username 200 Your password please. PASS old_password 500 Old password is incorrect
Integration with web applications requires that the application connects over TCP
localhost:106 and speaks the above protocol using the data supplier by the user.
yum install pam pam-devel cmake
apt-get install libpam0g libpam0g-dev cmake
Installation from source:
git clone https://github.com/kravietz/poppassd-ceti.git cd poppassd-ceti cmake . make sudo make install
Since version 1.8.9 the default deployment method on Linux is systemd.socket:
systemd handles the port
106/tcp and starts
poppassd@.service instance on new connection. Locations of installed files:
The service files are not installed Linux servers without
systemd and FreeBSD. Service definition is up to the administrator on these servers.
Testing is as simple as
poppassd works on standard input (as
sudo /usr/local/sbin/poppassd 200 poppassd USER kravietz 200 Your password please PASS wie9on2cheB7oojeokai 200 Your new password please NEWPASS eW4ieLieYieN6iefaith 200 Password changed QUIT 200 Bye
If it does not work, check
journalctl -xe or
/var/log/auth.log on old systems. The most frequent problem are PAM configuration issues.
If it works locally but doesn't work over
localhost:106 you may need to use
systemctl edit --full poppassd.service and disable some of the
systemd hardening settings as they might be too restrictive on your system.
This program was initially based on poppassd by John Norstad firstname.lastname@example.org, Roy Smith email@example.com and Daniel L. Leavitt firstname.lastname@example.org. Shadow file update code taken from shadow-960810 by John F. Haugh II email@example.com and Marek Michalkiewicz firstname.lastname@example.org. A number of people (listed below) have contributed with suggestions and fixes.
systemd(@imilos), documentation updates
poppassdand move it to GitHub; the program is now compiled with autotools and includes several security improvements
-DALLOW_NULL_PASSWORDS(needed for automated accounts creation).