Re: Change_Passwd 4.2e

>>>>>  > General Information:
>>>>>  > Fedora 11 Preview
>>>>>  > Apache 2.2.11, both user and group are apache
>>>>>  > PHP 5.2.9
>>>>>  >
>>>>>  > Directory Listing of the Plugin Directory (ls -laF)
>>>>>  > total 120
>>>>>  > drwxr-xr-x  3 root root    4096 2009-05-21 15:58 ./
>>>>>  > drwxr-xr-x 22 root root    4096 2009-05-21 12:51 ../
>>>>>  > -rwsr-x---  1 root apache 10744 2009-01-03 18:23 chpasswd*
>>>>>  > -rw-r--r--  1 root root    7290 2009-01-03 18:23 chpasswd.c
>>>>>  > -rw-r--r--  1 root root    1588 2009-05-21 15:54 config.php
>>>>>  > -rw-r--r--  1 root root    1587 2009-01-03 18:23 config.php.sample
>>>>>  > -rw-r--r--  1 root root   15802 2009-01-03 18:23 COPYING
>>>>>  > -rw-r--r--  1 root root     610 2009-01-03 18:23 exec_test.php
>>>>>  > -rw-r--r--  1 root root    2068 2009-01-03 18:23 functions.php
>>>>>  > -rw-r--r--  1 root root     114 2009-01-03 18:23 getpot
>>>>>  > -rw-r--r--  1 root root     466 2009-01-03 18:23 index.php
>>>>>  > -rw-r--r--  1 root root    2120 2009-01-03 18:23 INSTALL
>>>>>  > -rwxr-xr-x  1 root root    4322 2009-01-03 18:23 ldap-chpasswd*
>>>>>  > -rw-r--r--  1 root root    1018 2009-01-03 18:23
>>>>> ldap-chpasswd.cfg.sample
>>>>>  > drwxr-xr-x  3 root root    4096 2009-01-03 18:23 locale/
>>>>>  > -rw-r--r--  1 root root   11997 2009-01-03 18:23 options.php
>>>>>  > -rw-r--r--  1 root root    9119 2009-01-03 18:23 README
>>>>>  > -rw-r--r--  1 root root    1356 2009-01-03 18:23 setup.php
>>>>>  > -rw-r--r--  1 root root      19 2009-01-03 18:23 version
>>>>>  >
>>>>>  > $seeOutput results:
>>>>>  > Current password is incorrect
>>>>>  > Command output:
>>>>>  > Current password is incorrect
>>>>>  > Return code: 9
>>>>>  >
>>>>>  > $debug results:
>>>>>  > cd /usr/local/squirrelmail/www/plugins/change_passwd
>>>>>  > ../../plugins/change_passwd/chpasswd '<userid>' '<oldPasswd>'
>>>>>  > '<newPasswd>' 2>&1
>>>>>  >
>>>>>  > When run the above in a console, the result of these commands is:
>>>>>  > Current password is incorrect
>>>>>
>>>>> Are you sure you are really using the same username AND password that
>>>>> are in the /etc/passwd or /etc/shadow file??
>>>> If you are referring to user input, then yes the userid and password are
>>>> in /etc/passwd and /etc/shadow.  If you are referring to the program, I
>>>> can only assume that it is so since the variables cited below point to
>>>> the correct files.
>>>>
>>>>>  > Squirrelmail 1.4.17 was installed per the instruction set:
>>>>>  > http://squirrelmail.org/docs/admin/admin-3.html#ss3.2
>>>>>  > starting at "Prepare SquirrelMail directories" since the other
>>>>>  > requirements were already installed from source.
>>>>>
>>>>> Doesn't sound like a SquirrelMail issue.
>>>> I agree since it and the Local_autorespond_forward plugin is working
>>>> quite well.
>>>>
>>>>>  > Plugins installed and configured into Squirrelmail:
>>>>>  > Compatibility 2.0.14-1.0
>>>>>  > Local_autorespond_forward 3.0.1-1.4.0
>>>>>  > Change_passwd 4.2e
>>>>>
>>>>> I've never heard of this version.  I only support versions that I have
>>>>> produced, so you might talk to the author of this plugin version.
>>>> Fair enough.
>>>>
>>>>>  > The CompatibilityDependencies list shows that change_passwd requires
>>>>>  > compatibility 1.x, but that "an updated version that works with 2.x is
>>>>>  > available from the author."  The latest version I have been able to find
>>>>>  > is 4.2e which was released January 4, 2009, per
>>>>>  > http://www.linuxmail.info/change_passwd/.
>>>>>
>>>>> Then you should ask for help there.  "Available from the author"
>>>>> usually means you have to ask the author for a copy of that "updated
>>>>> version."  I can give you mine.
>>>> Again, fair enough.  If you have a version of the plugin which works
>>>> with Compatibility 2.0.14-1.0, I would love to know how to get it.
>>>> Until then, I think that the line 165 advice below will be moot.
>>>>>  > I have searched the email lists (all four) and found something from Mr.
>>>>>  > Lesniewski that states to recompile the binary.  Per the head of the C
>>>>>  > file, I have even attempted a recompile of the code using both versions
>>>>>  > contained with the C file... as well as compiling per the bottom of:
>>>>>  >
>>>>>  > http://www.linuxmail.info/squirrelmail-change-password-howto/
>>>>>  >
>>>>>  > The C file does show that PASSWD is /etc/passwd and SHADOW is
>>>>>  > /etc/shadow, both of which are correct.
>>>>>
>>>>> Again, I don't know what the code is you have, but in my code, in
>>>>> chpasswd.c around line 165, I see this:
>>>>>
>>>>>                                         printf("Current password is
>>>>> incorrect\n");
>>>>>                                         //printf("Current password
>>>>> \"%s\" is incorrect; encrypted, it is \"%s\", but encrypting the given
>>>>> one results in \"%s\"\n", Old_pw, WOld_pw, (char *)crypt(Old_pw,
>>>>> WOld_pw));
>>>>>
>>>>> Try uncommenting the second line and see what you get while doublt
>>>>> checking against the users in the password file.  The problem is that
>>>>> your version of the program is getting something else from the
>>>>> password file other than what you are giving it.
>>
>> With Change_passwd-4.3beta1-1.2.8
>>
>>
>> Trying the binary tarballed with the plugin:
>>
>> Without $seeOutput or $debug
>> Your current password is not correct
>>
>>
>> With $seeOutput:
>> Your current password is not correct
>> Command output:
>> Current password is incorrect
>> Return code: 9
>>
>>
>> With $debug:
>> Permissions of chpasswd executable are: 104750
>>
>> chpasswd has group ownership: apache
>> Your web server is running under group: apache
>>
>> chpasswd is owned by: root
>>
>> To test the chpasswd utility from the command line, do this:
>>
>> cd /usr/local/squirrelmail/www/plugins/change_passwd
>> ../../plugins/change_passwd/chpasswd '<userid>' '<oldPass>' '<newPass>' 2>&1
>>
>> The results of the commandline are:
>> Your current password is not correct
>>
>> ----------------------------------------
>>
>> Trying with compiled binary with line 165 per the head of the C source
>> file:  Same results as above
>>
>> ----------------------------------------
>>
>> Trying with compiled binary with line 166:
>>
>> Without $seeOutput or $debug
>> Your current password is not correct
>>
>>
>> With $seeOutput:
>> Your current password is not correct
>> Command output:
>> Current password "Urp1eH1Ur8FUDrJOkV9euwkcz8hL4r9cqjXjm6d//T.H.DS." is
>> incorrect; encrypted, it is
>> "$6$UfewSJUs$FtqVH/gkfh7wcrL/RCEw02blat1AAujDbsAvVvUrp1eH1Ur8FUDrJOkV9euwkcz8hL4r9cqjXjm6d//T.H.DS.",
>> but encrypting the given one results in
>> "$6$UfewSJUs$ZrKKZV4Gx/fh8eljjuDmKDwJf3bN3KCROx2RzWIdUJoZUZ08I1tkhcfdHsRQBPocN1Rgsc04lQZUs.y7c4gv01"
>> Return code: 9
>
> I'm not sure what $6$ is, but it looks like crypt-md5 (usually $1$).
> If local_autorespond_forward is working right (using suid backend, it
> can successfully create and update .forward files, etc.), then it's
> something funny with the chpasswd.c code (not surprising, since it's
> such a hack).  As you can see, the crypt command seems to be returning
> unexpected results in change_passwd.  You might be able to help narrow
> down why that happens by outputting the two arguments to crypt() in
> both change_passwd and local_autorespond_forward and run the scripts
> on the command line and see if there is any difference.  change_passwd
> runs the password through some one-off code for input and "fixing"
> (hex decoding).  You can try to comment out the fixpwd() calls around
> line 102 and see what that does.  Showing your configure/make options
> for local_autorespond_forward could also be useful.  Obviously at some
> point, the change_passwd script needs to be ditched in favor of
> something more robust like local_autorespond_forward.

>
>> With $debug:
>> Permissions of chpasswd executable are: 104750
>>
>> chpasswd has group ownership: apache
>> Your web server is running under group: apache
>>
>> chpasswd is owned by: root
>>
>> To test the chpasswd utility from the command line, do this:
>>
>> cd /usr/local/squirrelmail/www/plugins/change_passwd
>> ../../plugins/change_passwd/chpasswd '<userid>' '<oldPass>' '<newPass>' 2>&1
>>
>> The results of the commandline are:
>> Current password "Urp1eH1Ur8FUDrJOkV9euwkcz8hL4r9cqjXjm6d//T.H.DS." is
>> incorrect; encrypted, it is
>> "$6$UfewSJUs$FtqVH/gkfh7wcrL/RCEw02blat1AAujDbsAvVvUrp1eH1Ur8FUDrJOkV9euwkcz8hL4r9cqjXjm6d//T.H.DS.",
>> but encrypting the given one results in
>> "$6$UfewSJUs$ZrKKZV4Gx/fh8eljjuDmKDwJf3bN3KCROx2RzWIdUJoZUZ08I1tkhcfdHsRQBPocN1Rgsc04lQZUs.y7c4gv01"
>>
>> ----------------------------------------
>>
>> I have ssh'ed into the mail server and changed the password to the new
>> one and then back to the old one successfully.  I have also performed a
>> passwd on the user in question so that a new MD5 for the original
>> password would be generated for this user.  The results (encryption
>> notwithstanding) are the same.
>>
>>
>>>>>  > When the error occurs, nothing changes in either /var/log/messages,
>>>>>  > /var/log/maillog, or /var/log/secure.
>>>>>  >
>>>>>  > I have turned off SELinux prior to troubleshooting this concern.
>>>>>  >
>>>>>  > Is there something I'm missing?
>>>>>  >
>>>>>  > Many thanks for your time and help with this.
>>>>>
>>>>>
>>>> Reiteration of the thanks for your time.
>>>>
>>>> Steven
>