Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

courierpassd(8) [debian man page]

COURIERPASSD(8) 						  Authentication						   COURIERPASSD(8)

NAME

       courierpassd - change passwords from across the network using the Courier authentication library

SYNOPSIS

       courierpassd [-hV] [-s SERVICE] [--stderr]

       courierpassd -s, --service SERVICE

       courierpassd --stderr

       courierpassd -h, --help

       courierpassd -V, --version

DESCRIPTION

       courierpassd  allows users to change their passwords from remote locations using the Courier authentication library. Usernames can be up to
       64 characters long while passwords can be up to 128 characters long.

       courierpassd uses the poppassd protocol for obtaining authentication tokens from the network. courierpassd is intended to  be  run  from  a
       super-server such as tcpserver or xinetd.

       The  service  specified	by the -s switch will depend on the particular authentication modules installed. Often 'login' will be appropriate
       but other possibilities include 'imap' and 'pop3'. This value defaults to 'login'. See the Courier documentation for a further  explanation
       of this switch.

       The  minimum  uid  that	courierpassd  will  attempt to change a password for can be set at compile time using the configure option --with-
       minuid.	courierpassd will refuse to change the password of a user whose uid is below this value. The default  value  is  100.  This  value
       should never be set to 0 as this would allow root's password to be changed from a remote location.

       A  second  configure  option,  --with-badpassdelay,  can be used to set the delay in seconds that courierpassd sleeps after an unsuccessful
       password change attempt. This feature is designed to make brute force attacks against passwords harder to perform. The default value is 3.

LOGGING

       Logging is done to syslog by default or to stderr if the --stderr switch is used.  courierpassd logs all password change  attempts  whether
       they are successful or not.

       courierpassd  does  certain  checks  on command line arguments so it is important to put --stderr first in the argument list if it is to be
       used in order for these checks to be logged properly.

EXAMPLE CLIENT-SERVER CONVERSATION
       All messages passed between server and client are text based allowing a client session to be easily mimicked  with  telnet.  Using  telnet,
       changing a user's password would look like this:

	    Connected to localhost.localdomain (127.0.0.1).
	    Escape character is '^]'.
	    200 courierpassd 1.1.2 hello, who are you?

	    user <username>

	    200 Your password please.

	    pass <current password>
	    200 Your new password please.

	    newpass <new password>

	    200 Password changed, thank-you.

	    quit

	    200 Bye.

	    Connection closed by foreign host.

BUGS

       If you've found a bug in courierpassd, please report it to freeware@arda.homeunix.net

SEE ALSO

       http://www.courier-mta.org/authlib/

       http://echelon.pl/pubs/poppassd.html

AUTHOR

       courierpassd was written by Andrew St. Jean

       Courier authentication library was written by Sam Varshavchik

       poppassd was written by Pawel Krawczyk based on an ealier version written by John Norstad, Roy Smith and Daniel L. Leavitt

GNU
/Linux							    20 Jan 2005 						   COURIERPASSD(8)

Check Out this Related Man Page

pam_sm_chauthtok(3)					     Library Functions Manual					       pam_sm_chauthtok(3)

NAME

       pam_sm_chauthtok - Service provider implementation for pam_chauthtok

SYNOPSIS

       [ flag ... ] file ...  [ library ... ]

DESCRIPTION

       In  response  to  a call to the PAM framework calls from the modules listed in the pam.conf(4) file.  The password management provider sup-
       plies the back-end functionality for this interface function.

       changes the authentication token associated with a particular user referenced by the authentication handle, pamh.

       The following flag may be passed in to

       The password service should not generate any messages.

       The password service should only update those passwords that have aged.
				     If this flag is not passed, the password service should update all passwords.

       The password service should only perform preliminary checks.
				     No passwords should be updated.

       The password service should update passwords.

       Note that and can not be set at the same time.

       Upon successful completion of the call, the authentication token of the user will be ready for change or will be  changed  (depending  upon
       the flag) in accordance with the authentication scheme configured within the system.

       The  argc  argument  represents	the number of module options passed in from the configuration file pam.conf(4).  argv specifies the module
       options, which are interpreted and processed by the password management service.  Please refer to the specific module  man  pages  for  the
       various available options.

       It  is the responsibility of to determine if the new password meets certain strength requirements.  may continue to re-prompt the user (for
       a limited number of times) for a new password until the password entered meets the strength requirements.

       Before returning, should call and retrieve both and If both are NULL, should set them to the new and old passwords as entered by the user.

APPLICATION USAGE

       Refer to pam(3) for information on thread-safety of PAM interfaces.

NOTES

       The PAM framework invokes the password services twice.  The first time the modules are invoked with the flag, During this stage, the  pass-
       word  modules  should  only perform preliminary checks (ping remote name services to see if they are ready for updates, for example).  If a
       password module detects a transient error (remote name service temporarily down, for example) it should return to the PAM framework,  which
       will  immediately  return the error back to the application.  If all password modules pass the preliminary check, the PAM framework invokes
       the password services again with the flag, During this stage, each password module should proceed to update the appropriate password.   Any
       error will again be reported back to application.

       If a service module receives the flag, it should check whether the password has aged or expired.  If the password has aged or expired, then
       the service module should proceed to update the password.  If the status indicates that the password has not  yet  aged/expired,  then  the
       password module should return

       If  a  user's  password	has aged or expired, a PAM account module could save this information as state in the authentication handle, pamh,
       using The related password management module could retrieve this information using to determine whether or not it should prompt the user to
       update the password for this particular module.

RETURN VALUES

       Upon successful completion, must be returned.  The following values may also be returned:

       No permission.

       Authentication token manipulation error.

       Old authentication token cannot be recovered.

       Authentication token lock busy.

       Authentication token aging disabled.

       User unknown to password service.

       Preliminary check by password service failed.

SEE ALSO

       pam(3), pam_chauthtok(3), pam.conf(4).

															       pam_sm_chauthtok(3)
Man Page