diff options
Diffstat (limited to 'plugins/password/helpers')
| -rw-r--r-- | plugins/password/helpers/chgdbmailusers.c | 47 | ||||
| -rw-r--r-- | plugins/password/helpers/chgsaslpasswd.c | 29 | ||||
| -rw-r--r-- | plugins/password/helpers/chgvirtualminpasswd.c | 28 | ||||
| -rw-r--r-- | plugins/password/helpers/chpass-wrapper.py | 32 | ||||
| -rw-r--r-- | plugins/password/helpers/dovecot_hmacmd5.php | 191 | ||||
| -rw-r--r-- | plugins/password/helpers/passwd-expect | 267 |
6 files changed, 594 insertions, 0 deletions
diff --git a/plugins/password/helpers/chgdbmailusers.c b/plugins/password/helpers/chgdbmailusers.c new file mode 100644 index 000000000..be237556e --- /dev/null +++ b/plugins/password/helpers/chgdbmailusers.c @@ -0,0 +1,47 @@ +#include <stdio.h> +#include <string.h> +#include <unistd.h> + +// set the UID this script will run as (root user) +#define UID 0 +#define CMD "/usr/sbin/dbmail-users" + +/* INSTALLING: + gcc -o chgdbmailusers chgdbmailusers.c + chown root.apache chgdbmailusers + strip chgdbmailusers + chmod 4550 chgdbmailusers +*/ + +main(int argc, char *argv[]) +{ + int cnt,rc,cc; + char cmnd[1024]; + + strcpy(cmnd, CMD); + + if (argc > 1) + { + for (cnt = 1; cnt < argc; cnt++) + { + strcat(cmnd, " "); + strcat(cmnd, argv[cnt]); + } + } + else + { + fprintf(stderr, "__ %s: failed %d %d\n", argv[0], rc, cc); + return 255; + } + + cc = setuid(UID); + rc = system(cmnd); + + if ((rc != 0) || (cc != 0)) + { + fprintf(stderr, "__ %s: failed %d %d\n", argv[0], rc, cc); + return 1; + } + + return 0; +} diff --git a/plugins/password/helpers/chgsaslpasswd.c b/plugins/password/helpers/chgsaslpasswd.c new file mode 100644 index 000000000..bcdcb2e0d --- /dev/null +++ b/plugins/password/helpers/chgsaslpasswd.c @@ -0,0 +1,29 @@ +#include <stdio.h> +#include <unistd.h> + +// set the UID this script will run as (cyrus user) +#define UID 96 +// set the path to saslpasswd or saslpasswd2 +#define CMD "/usr/sbin/saslpasswd2" + +/* INSTALLING: + gcc -o chgsaslpasswd chgsaslpasswd.c + chown cyrus.apache chgsaslpasswd + strip chgsaslpasswd + chmod 4550 chgsaslpasswd +*/ + +main(int argc, char *argv[]) +{ + int rc,cc; + + cc = setuid(UID); + rc = execvp(CMD, argv); + if ((rc != 0) || (cc != 0)) + { + fprintf(stderr, "__ %s: failed %d %d\n", argv[0], rc, cc); + return 1; + } + + return 0; +} diff --git a/plugins/password/helpers/chgvirtualminpasswd.c b/plugins/password/helpers/chgvirtualminpasswd.c new file mode 100644 index 000000000..4e2299c66 --- /dev/null +++ b/plugins/password/helpers/chgvirtualminpasswd.c @@ -0,0 +1,28 @@ +#include <stdio.h> +#include <unistd.h> + +// set the UID this script will run as (root user) +#define UID 0 +#define CMD "/usr/sbin/virtualmin" + +/* INSTALLING: + gcc -o chgvirtualminpasswd chgvirtualminpasswd.c + chown root.apache chgvirtualminpasswd + strip chgvirtualminpasswd + chmod 4550 chgvirtualminpasswd +*/ + +main(int argc, char *argv[]) +{ + int rc,cc; + + cc = setuid(UID); + rc = execvp(CMD, argv); + if ((rc != 0) || (cc != 0)) + { + fprintf(stderr, "__ %s: failed %d %d\n", argv[0], rc, cc); + return 1; + } + + return 0; +} diff --git a/plugins/password/helpers/chpass-wrapper.py b/plugins/password/helpers/chpass-wrapper.py new file mode 100644 index 000000000..61bba849e --- /dev/null +++ b/plugins/password/helpers/chpass-wrapper.py @@ -0,0 +1,32 @@ +#!/usr/bin/env python + +import sys +import pwd +import subprocess + +BLACKLIST = ( + # add blacklisted users here + #'user1', +) + +try: + username, password = sys.stdin.readline().split(':', 1) +except ValueError, e: + sys.exit('Malformed input') + +try: + user = pwd.getpwnam(username) +except KeyError, e: + sys.exit('No such user: %s' % username) + +if user.pw_uid < 1000: + sys.exit('Changing the password for user id < 1000 is forbidden') + +if username in BLACKLIST: + sys.exit('Changing password for user %s is forbidden (user blacklisted)' % + username) + +handle = subprocess.Popen('/usr/sbin/chpasswd', stdin = subprocess.PIPE) +handle.communicate('%s:%s' % (username, password)) + +sys.exit(handle.returncode) diff --git a/plugins/password/helpers/dovecot_hmacmd5.php b/plugins/password/helpers/dovecot_hmacmd5.php new file mode 100644 index 000000000..644b5377e --- /dev/null +++ b/plugins/password/helpers/dovecot_hmacmd5.php @@ -0,0 +1,191 @@ +<?php + +/** + * + * dovecot_hmacmd5.php V1.01 + * + * Generates HMAC-MD5 'contexts' for Dovecot's password files. + * + * (C) 2008 Hajo Noerenberg + * + * http://www.noerenberg.de/hajo/pub/dovecot_hmacmd5.php.txt + * + * Most of the code has been shamelessly stolen from various sources: + * + * (C) Paul Johnston 1999 - 2000 / http://pajhome.org.uk/crypt/md5/ + * (C) William K. Cole 2008 / http://www.scconsult.com/bill/crampass.pl + * (C) Borfast 2002 / http://www.zend.com/code/codex.php?ozid=962&single=1 + * (C) Thomas Weber / http://pajhome.org.uk/crypt/md5/contrib/md5.java.txt + * + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 3.0 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see <http://www.gnu.org/licenses/gpl-3.0.txt>. + * + */ + +/* Convert a 32-bit number to a hex string with ls-byte first + */ + +function rhex($n) { + $hex_chr = "0123456789abcdef"; $r = ''; + for($j = 0; $j <= 3; $j++) + $r .= $hex_chr[($n >> ($j * 8 + 4)) & 0x0F] . $hex_chr[($n >> ($j * 8)) & 0x0F]; + return $r; +} + +/* zeroFill() is needed because PHP doesn't have a zero-fill + * right shift operator like JavaScript's >>> + */ + +function zeroFill($a, $b) { + $z = hexdec(80000000); + if ($z & $a) { + $a >>= 1; + $a &= (~$z); + $a |= 0x40000000; + $a >>= ($b-1); + } else { + $a >>= $b; + } + return $a; +} + +/* Bitwise rotate a 32-bit number to the left + */ + +function bit_rol($num, $cnt) { + return ($num << $cnt) | (zeroFill($num, (32 - $cnt))); +} + +/* Add integers, wrapping at 2^32 + */ + +function safe_add($x, $y) { + return (($x&0x7FFFFFFF) + ($y&0x7FFFFFFF)) ^ ($x&0x80000000) ^ ($y&0x80000000); +} + +/* These functions implement the four basic operations the algorithm uses. + */ + +function md5_cmn($q, $a, $b, $x, $s, $t) { + return safe_add(bit_rol(safe_add(safe_add($a, $q), safe_add($x, $t)), $s), $b); +} +function md5_ff($a, $b, $c, $d, $x, $s, $t) { + return md5_cmn(($b & $c) | ((~$b) & $d), $a, $b, $x, $s, $t); +} +function md5_gg($a, $b, $c, $d, $x, $s, $t) { + return md5_cmn(($b & $d) | ($c & (~$d)), $a, $b, $x, $s, $t); +} +function md5_hh($a, $b, $c, $d, $x, $s, $t) { + return md5_cmn($b ^ $c ^ $d, $a, $b, $x, $s, $t); +} +function md5_ii($a, $b, $c, $d, $x, $s, $t) { + return md5_cmn($c ^ ($b | (~$d)), $a, $b, $x, $s, $t); +} + +/* Calculate the first round of the MD5 algorithm + */ + +function md5_oneround($s, $io) { + + $s = str_pad($s, 64, chr(0x00)); + + $x = array_fill(0, 16, 0); + + for($i = 0; $i < 64; $i++) + $x[$i >> 2] |= (($io ? 0x36 : 0x5c) ^ ord($s[$i])) << (($i % 4) * 8); + + $a = $olda = 1732584193; + $b = $oldb = -271733879; + $c = $oldc = -1732584194; + $d = $oldd = 271733878; + + $a = md5_ff($a, $b, $c, $d, $x[ 0], 7 , -680876936); + $d = md5_ff($d, $a, $b, $c, $x[ 1], 12, -389564586); + $c = md5_ff($c, $d, $a, $b, $x[ 2], 17, 606105819); + $b = md5_ff($b, $c, $d, $a, $x[ 3], 22, -1044525330); + $a = md5_ff($a, $b, $c, $d, $x[ 4], 7 , -176418897); + $d = md5_ff($d, $a, $b, $c, $x[ 5], 12, 1200080426); + $c = md5_ff($c, $d, $a, $b, $x[ 6], 17, -1473231341); + $b = md5_ff($b, $c, $d, $a, $x[ 7], 22, -45705983); + $a = md5_ff($a, $b, $c, $d, $x[ 8], 7 , 1770035416); + $d = md5_ff($d, $a, $b, $c, $x[ 9], 12, -1958414417); + $c = md5_ff($c, $d, $a, $b, $x[10], 17, -42063); + $b = md5_ff($b, $c, $d, $a, $x[11], 22, -1990404162); + $a = md5_ff($a, $b, $c, $d, $x[12], 7 , 1804603682); + $d = md5_ff($d, $a, $b, $c, $x[13], 12, -40341101); + $c = md5_ff($c, $d, $a, $b, $x[14], 17, -1502002290); + $b = md5_ff($b, $c, $d, $a, $x[15], 22, 1236535329); + + $a = md5_gg($a, $b, $c, $d, $x[ 1], 5 , -165796510); + $d = md5_gg($d, $a, $b, $c, $x[ 6], 9 , -1069501632); + $c = md5_gg($c, $d, $a, $b, $x[11], 14, 643717713); + $b = md5_gg($b, $c, $d, $a, $x[ 0], 20, -373897302); + $a = md5_gg($a, $b, $c, $d, $x[ 5], 5 , -701558691); + $d = md5_gg($d, $a, $b, $c, $x[10], 9 , 38016083); + $c = md5_gg($c, $d, $a, $b, $x[15], 14, -660478335); + $b = md5_gg($b, $c, $d, $a, $x[ 4], 20, -405537848); + $a = md5_gg($a, $b, $c, $d, $x[ 9], 5 , 568446438); + $d = md5_gg($d, $a, $b, $c, $x[14], 9 , -1019803690); + $c = md5_gg($c, $d, $a, $b, $x[ 3], 14, -187363961); + $b = md5_gg($b, $c, $d, $a, $x[ 8], 20, 1163531501); + $a = md5_gg($a, $b, $c, $d, $x[13], 5 , -1444681467); + $d = md5_gg($d, $a, $b, $c, $x[ 2], 9 , -51403784); + $c = md5_gg($c, $d, $a, $b, $x[ 7], 14, 1735328473); + $b = md5_gg($b, $c, $d, $a, $x[12], 20, -1926607734); + + $a = md5_hh($a, $b, $c, $d, $x[ 5], 4 , -378558); + $d = md5_hh($d, $a, $b, $c, $x[ 8], 11, -2022574463); + $c = md5_hh($c, $d, $a, $b, $x[11], 16, 1839030562); + $b = md5_hh($b, $c, $d, $a, $x[14], 23, -35309556); + $a = md5_hh($a, $b, $c, $d, $x[ 1], 4 , -1530992060); + $d = md5_hh($d, $a, $b, $c, $x[ 4], 11, 1272893353); + $c = md5_hh($c, $d, $a, $b, $x[ 7], 16, -155497632); + $b = md5_hh($b, $c, $d, $a, $x[10], 23, -1094730640); + $a = md5_hh($a, $b, $c, $d, $x[13], 4 , 681279174); + $d = md5_hh($d, $a, $b, $c, $x[ 0], 11, -358537222); + $c = md5_hh($c, $d, $a, $b, $x[ 3], 16, -722521979); + $b = md5_hh($b, $c, $d, $a, $x[ 6], 23, 76029189); + $a = md5_hh($a, $b, $c, $d, $x[ 9], 4 , -640364487); + $d = md5_hh($d, $a, $b, $c, $x[12], 11, -421815835); + $c = md5_hh($c, $d, $a, $b, $x[15], 16, 530742520); + $b = md5_hh($b, $c, $d, $a, $x[ 2], 23, -995338651); + + $a = md5_ii($a, $b, $c, $d, $x[ 0], 6 , -198630844); + $d = md5_ii($d, $a, $b, $c, $x[ 7], 10, 1126891415); + $c = md5_ii($c, $d, $a, $b, $x[14], 15, -1416354905); + $b = md5_ii($b, $c, $d, $a, $x[ 5], 21, -57434055); + $a = md5_ii($a, $b, $c, $d, $x[12], 6 , 1700485571); + $d = md5_ii($d, $a, $b, $c, $x[ 3], 10, -1894986606); + $c = md5_ii($c, $d, $a, $b, $x[10], 15, -1051523); + $b = md5_ii($b, $c, $d, $a, $x[ 1], 21, -2054922799); + $a = md5_ii($a, $b, $c, $d, $x[ 8], 6 , 1873313359); + $d = md5_ii($d, $a, $b, $c, $x[15], 10, -30611744); + $c = md5_ii($c, $d, $a, $b, $x[ 6], 15, -1560198380); + $b = md5_ii($b, $c, $d, $a, $x[13], 21, 1309151649); + $a = md5_ii($a, $b, $c, $d, $x[ 4], 6 , -145523070); + $d = md5_ii($d, $a, $b, $c, $x[11], 10, -1120210379); + $c = md5_ii($c, $d, $a, $b, $x[ 2], 15, 718787259); + $b = md5_ii($b, $c, $d, $a, $x[ 9], 21, -343485551); + + $a = safe_add($a, $olda); + $b = safe_add($b, $oldb); + $c = safe_add($c, $oldc); + $d = safe_add($d, $oldd); + + return rhex($a) . rhex($b) . rhex($c) . rhex($d); +} + +function dovecot_hmacmd5 ($s) { + if (strlen($s) > 64) $s=pack("H*", md5($s)); + return "{CRAM-MD5}" . md5_oneround($s, 0) . md5_oneround($s, 1); +} diff --git a/plugins/password/helpers/passwd-expect b/plugins/password/helpers/passwd-expect new file mode 100644 index 000000000..7db21ad1f --- /dev/null +++ b/plugins/password/helpers/passwd-expect @@ -0,0 +1,267 @@ +# +# This scripts changes a password on the local system or a remote host. +# Connections to the remote (this can also be localhost) are made by ssh, rsh, +# telnet or rlogin. + +# @author Gaudenz Steinlin <gaudenz@soziologie.ch> + +# For sudo support alter sudoers (using visudo) so that it contains the +# following information (replace 'apache' if your webserver runs under another +# user): +# ----- +# # Needed for Horde's passwd module +# Runas_Alias REGULARUSERS = ALL, !root +# apache ALL=(REGULARUSERS) NOPASSWD:/usr/bin/passwd +# ----- + +# @stdin The username, oldpassword, newpassword (in this order) +# will be taken from stdin +# @param -prompt regexp for the shell prompt +# @param -password regexp password prompt +# @param -oldpassword regexp for the old password +# @param -newpassword regexp for the new password +# @param -verify regexp for verifying the password +# @param -success regexp for success changing the password +# @param -login regexp for the telnet prompt for the loginname +# @param -host hostname to be connected +# @param -timeout timeout for each step +# @param -log file for writing error messages +# @param -output file for loging the output +# @param -telnet use telnet +# @param -ssh use ssh (default) +# @param -rlogin use rlogin +# @param -slogin use slogin +# @param -sudo use sudo +# @param -program command for changing passwords +# +# @return 0 on success, 1 on failure +# + + +# default values +set host "localhost" +set login "ssh" +set program "passwd" +set prompt_string "(%|\\\$|>)" +set fingerprint_string "The authenticity of host.* can't be established.*\nRSA key fingerprint is.*\nAre you sure you want to continue connecting.*" +set password_string "(P|p)assword.*" +set oldpassword_string "((O|o)ld|login|\\\(current\\\) UNIX) (P|p)assword.*" +set newpassword_string "(N|n)ew.* (P|p)assword.*" +set badoldpassword_string "(Authentication token manipulation error).*" +set badpassword_string "((passwd|BAD PASSWORD).*|(passwd|Bad:).*\r)" +set verify_string "((R|r)e-*enter.*(P|p)assword|Retype new( UNIX)? password|(V|v)erification|(V|v)erify|(A|a)gain).*" +set success_string "((P|p)assword.* changed|successfully)" +set login_string "(((L|l)ogin|(U|u)sername).*)" +set timeout 20 +set log "/tmp/passwd.out" +set output false +set output_file "/tmp/passwd.log" + +# read input from stdin +fconfigure stdin -blocking 1 + +gets stdin user +gets stdin password(old) +gets stdin password(new) + +# alternative: read input from command line +#if {$argc < 3} { +# send_user "Too few arguments: Usage $argv0 username oldpass newpass" +# exit 1 +#} +#set user [lindex $argv 0] +#set password(old) [lindex $argv 1] +#set password(new) [lindex $argv 2] + +# no output to the user +log_user 0 + +# read in other options +for {set i 0} {$i<$argc} {incr i} { + set arg [lindex $argv $i] + switch -- $arg "-prompt" { + incr i + set prompt_string [lindex $argv $i] + continue + } "-password" { + incr i + set password_string [lindex $argv $i] + continue + } "-oldpassword" { + incr i + set oldpassword_string [lindex $argv $i] + continue + } "-newpassword" { + incr i + set newpassword_string [lindex $argv $i] + continue + } "-verify" { + incr i + set verify_string [lindex $argv $i] + continue + } "-success" { + incr i + set success_string [lindex $argv $i] + continue + } "-login" { + incr i + set login_string [lindex $argv $i] + continue + } "-host" { + incr i + set host [lindex $argv $i] + continue + } "-timeout" { + incr i + set timeout [lindex $argv $i] + continue + } "-log" { + incr i + set log [lindex $argv $i] + continue + } "-output" { + incr i + set output_file [lindex $argv $i] + set output true + continue + } "-telnet" { + set login "telnet" + continue + } "-ssh" { + set login "ssh" + continue + } "-ssh-exec" { + set login "ssh-exec" + continue + } "-rlogin" { + set login "rlogin" + continue + } "-slogin" { + set login "slogin" + continue + } "-sudo" { + set login "sudo" + continue + } "-program" { + incr i + set program [lindex $argv $i] + continue + } +} + +# log session +if {$output} { + log_file $output_file +} + +set err [open $log "w" "0600"] + +# start remote session +if {[string match $login "rlogin"]} { + set pid [spawn rlogin $host -l $user] +} elseif {[string match $login "slogin"]} { + set pid [spawn slogin $host -l $user] +} elseif {[string match $login "ssh"]} { + set pid [spawn ssh $host -l $user] +} elseif {[string match $login "ssh-exec"]} { + set pid [spawn ssh $host -l $user $program] +} elseif {[string match $login "sudo"]} { + set pid [spawn sudo -u $user $program] +} elseif {[string match $login "telnet"]} { + set pid [spawn telnet $host] + expect -re $login_string { + sleep .5 + send "$user\r" + } +} else { + puts $err "Invalid login mode. Valid modes: rlogin, slogin, ssh, telnet, sudo\n" + close $err + exit 1 +} + +set old_password_notentered true + +if {![string match $login "sudo"]} { + # log in + expect { + -re $fingerprint_string {sleep .5 + send yes\r + exp_continue} + -re $password_string {sleep .5 + send $password(old)\r} + timeout {puts $err "Could not login to system (no password prompt)\n" + close $err + exit 1} + } + + # start password changing program + expect { + -re $prompt_string {sleep .5 + send $program\r} + # The following is for when passwd is the login shell or ssh-exec is used + -re $oldpassword_string {sleep .5 + send $password(old)\r + set old_password_notentered false} + timeout {puts $err "Could not login to system (bad old password?)\n" + close $err + exit 1} + } +} + +# send old password +if {$old_password_notentered} { + expect { + -re $oldpassword_string {sleep .5 + send $password(old)\r} + timeout {puts $err "Could not start passwd program (no old password prompt)\n" + close $err + exit 1} + } +} + +# send new password +expect { + -re $newpassword_string {sleep .5 + send $password(new)\r} + -re $badoldpassword_string {puts $err "Old password is incorrect\n" + close $err + exit 1} + timeout {puts "Could not change password (bad old password?)\n" + close $err + exit 1} +} + +# send new password again +expect { + -re $badpassword_string {puts $err "$expect_out(0,string)" + close $err + send \003 + sleep .5 + exit 1} + -re $verify_string {sleep .5 + send $password(new)\r} + timeout {puts $err "New password not valid (too short, bad password, too similar, ...)\n" + close $err + send \003 + sleep .5 + exit 1} +} + +# check response +expect { + -re $success_string {sleep .5 + send exit\r} + -re $badpassword_string {puts $err "$expect_out(0,string)" + close $err + exit 1} + timeout {puts $err "Could not change password.\n" + close $err + exit 1} +} + +# exit succsessfully +expect { + eof {close $err + exit 0} +} +close $err |