You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
roundcubemail/plugins/password/README

470 lines
16 KiB
Plaintext

-----------------------------------------------------------------------
Password Plugin for Roundcube
-----------------------------------------------------------------------
Plugin that adds a possibility to change user password using many
methods (drivers) via Settings/Password tab.
-----------------------------------------------------------------------
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see http://www.gnu.org/licenses/.
@author Aleksander Machniak <alec@alec.pl>
@author <see driver files for driver authors>
-----------------------------------------------------------------------
1. Configuration
2. Drivers
2.1. Password Change Drivers
2.1.1. Database (sql)
2.1.2. Cyrus/SASL (sasl)
2.1.3. Poppassd/Courierpassd (poppassd)
2.1.4. LDAP (ldap)
2.1.5. DirectAdmin Control Panel (directadmin)
2.1.6. cPanel
2.1.6.1. cPanel WHM (cpanel)
2.1.6.2. cPanel Webmail (cpanel_webmail)
2.1.7. XIMSS/Communigate (ximms)
2.1.8. Virtualmin (virtualmin)
2.1.9. hMailServer (hmail)
2.1.10. PAM (pam)
2.1.11. Chpasswd (chpasswd)
2.1.12. LDAP - no PEAR (ldap_simple)
2.1.13. XMail (xmail)
2.1.14. Pw (pw_usermod)
2.1.15. domainFACTORY (domainfactory)
2.1.16. DBMail (dbmail)
2.1.17. Expect (expect)
2.1.18. Samba (smb)
2.1.19. Vpopmail daemon (vpopmaild)
2.1.20. Plesk (Plesk RPC-API)
2.1.21. Kpasswd
2.1.22. Modoboa
2.1.23. LDAP - Password Modify Extended Operation (ldap_exop)
2.2. Password Strength Drivers
2.2.1. Zxcvbn
2.2.2. Have I been pwned? (pwned)
3. Driver API
4. Sudo setup
1. Configuration
----------------
Copy config.inc.php.dist to config.inc.php and set the options as described
within the file.
2. Drivers
----------
2.1. Password Change Drivers
----------------------------
Password plugin supports many password change mechanisms which are
handled by included drivers. Just pass driver name in 'password_driver' option.
2.1.1. Database (sql)
---------------------
You can specify which database to connect by 'password_db_dsn' option and
what SQL query to execute by 'password_query'. See config.inc.php.dist file for
more info.
Example implementations of an update_passwd function:
- This is for use with LMS (http://lms.org.pl) database and postgres:
12 years ago
CREATE OR REPLACE FUNCTION update_passwd(hash text, account text) RETURNS integer AS $$
DECLARE
res integer;
BEGIN
UPDATE passwd SET password = hash
WHERE login = split_part(account, '@', 1)
AND domainid = (SELECT id FROM domains WHERE name = split_part(account, '@', 2))
RETURNING id INTO res;
RETURN res;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
- This is for use with a SELECT update_passwd(%o,%c,%u) query
12 years ago
Updates the password only when the old password matches the MD5 password
in the database
CREATE FUNCTION update_password (oldpass text, cryptpass text, user text) RETURNS text
MODIFIES SQL DATA
BEGIN
DECLARE currentsalt varchar(20);
DECLARE error text;
SET error = 'incorrect current password';
SELECT substring_index(substr(user.password,4),_latin1'$',1) INTO currentsalt FROM users WHERE username=user;
SELECT '' INTO error FROM users WHERE username=user AND password=ENCRYPT(oldpass,currentsalt);
UPDATE users SET password=cryptpass WHERE username=user AND password=ENCRYPT(oldpass,currentsalt);
RETURN error;
END
Example SQL UPDATEs:
- Plain text passwords:
UPDATE users SET password=%p WHERE username=%u AND password=%o AND domain=%h LIMIT 1
- Crypt text passwords:
UPDATE users SET password=%c WHERE username=%u LIMIT 1
- Use a MYSQL crypt function (*nix only) with random 8 character salt
UPDATE users SET password=ENCRYPT(%p,concat(_utf8'$1$',right(md5(rand()),8),_utf8'$')) WHERE username=%u LIMIT 1
- MD5 stored passwords:
UPDATE users SET password=MD5(%p) WHERE username=%u AND password=MD5(%o) LIMIT 1
2.1.2. Cyrus/SASL (sasl)
------------------------
Cyrus SASL database authentication allows your Cyrus+Roundcube
installation to host mail users without requiring a Unix Shell account!
This driver only covers the "sasldb" case when using Cyrus SASL. Kerberos
and PAM authentication mechanisms will require other techniques to enable
user password manipulations.
Cyrus SASL includes a shell utility called "saslpasswd" for manipulating
user passwords in the "sasldb" database. This plugin attempts to use
this utility to perform password manipulations required by your webmail
users without any administrative interaction. Unfortunately, this
scheme requires that the "saslpasswd" utility be run as the "cyrus"
user - kind of a security problem since we have chosen to SUID a small
script which will allow this to happen.
This driver is based on the Squirrelmail Change SASL Password Plugin.
See http://www.squirrelmail.org/plugin_view.php?id=107 for details.
Installation:
Change into the helpers directory. Edit the chgsaslpasswd.c file as is
documented within it.
Compile the wrapper program:
12 years ago
gcc -o chgsaslpasswd chgsaslpasswd.c
Chown the compiled chgsaslpasswd binary to the cyrus user and group
that your browser runs as, then chmod them to 4550.
For example, if your cyrus user is 'cyrus' and the apache server group is
'nobody' (I've been told Redhat runs Apache as user 'apache'):
12 years ago
chown cyrus:nobody chgsaslpasswd
chmod 4550 chgsaslpasswd
Stephen Carr has suggested users should try to run the scripts on a test
account as the cyrus user eg;
12 years ago
su cyrus -c "./chgsaslpasswd -p test_account"
This will allow you to make sure that the script will work for your setup.
Should the script not work, make sure that:
1) the user the script runs as has access to the saslpasswd|saslpasswd2
file and proper permissions
2) make sure the user in the chgsaslpasswd.c file is set correctly.
This could save you some headaches if you are the paranoid type.
2.1.3. Poppassd/Courierpassd (poppassd)
---------------------------------------
You can specify which host to connect to via 'password_pop_host' and
what port via 'password_pop_port'. See config.inc.php.dist file for more info.
2.1.4. LDAP (ldap)
------------------
See config.inc.php.dist file. Requires PEAR::Net_LDAP2 package.
2.1.5. DirectAdmin Control Panel (directadmin)
----------------------------------------------
You can specify which host to connect to via 'password_directadmin_host' (don't
forget to use tcp:// or ssl://) and what port via 'password_direactadmin_port'.
The password enforcement with plenty customization can be done directly by
DirectAdmin, please see http://www.directadmin.com/features.php?id=910
See config.inc.php.dist file for more info.
2.1.6. cPanel
-------------
cPanel offers various APIs. The `cpanel` driver is configured with and admin
account. It can change user's passwords without access to the current password.
See the next section.
The `cpanel_webmail` driver authenticates as the current user and does not need
an admin account. See 2.6.2.
2.1.6.1. cPanel WHM (cpanel)
----------------------------
Install cPanel XMLAPI Client Class into Roundcube program/lib directory
or any other place in PHP include path. You can get the class from
https://raw.github.com/CpanelInc/xmlapi-php/master/xmlapi.php
You can configure parameters for connection to cPanel's API interface.
See config.inc.php.dist file for more info.
2.1.6.2. cPanel Webmail (cpanel_webmail)
----------------------------------------
Specify the host to connect to via 'password_webmail_cpanel_host'. This driver
comes with a minimal UAPI implementation and does not use the external xmlapi
class. It requires php-curl extension.
See config.inc.php.dist file for more info.
2.1.7. XIMSS/Communigate (ximms)
--------------------------------
You can specify which host and port to connect to via 'password_ximss_host'
and 'password_ximss_port'. See config.inc.php.dist file for more info.
2.1.8. Virtualmin (virtualmin)
------------------------------
As in sasl driver this one allows to change password using shell
utility called "virtualmin". See helpers/chgvirtualminpasswd.c for
installation instructions. Requires virtualmin >= 4.09.
2.1.9. hMailServer (hmail)
--------------------------
Requires PHP COM (Windows only). For access to hMail server on remote host
you'll need to define 'hmailserver_remote_dcom' and 'hmailserver_server'.
See config.inc.php.dist file for more info.
2.1.10. PAM (pam)
-----------------
This driver is for changing passwords of shell users authenticated with PAM.
Requires PECL's PAM extension to be installed (http://pecl.php.net/package/PAM).
2.1.11. Chpasswd (chpasswd)
---------------------------
Driver that adds functionality to change the systems user password via
the 'chpasswd' command. See config.inc.php.dist file.
Attached wrapper script (helpers/chpass-wrapper.py) restricts password changes
to uids >= 1000 and can deny requests based on a blacklist.
2.1.12. LDAP - no PEAR (ldap_simple)
-------------------------------------
It's rewritten ldap driver that doesn't require the Net_LDAP2 PEAR extension.
It uses directly PHP's ldap module functions instead (as Roundcube does).
This driver is fully compatible with the ldap driver, but
does not require (or uses) the
$config['password_ldap_force_replace'] variable.
Other advantages:
* Connects only once with the LDAP server when using the search user.
* Does not read the DN, but only replaces the password within (that is
why the 'force replace' is always used).
2.1.13. XMail (xmail)
----------------------
Driver for XMail (www.xmailserver.org). See config.inc.php.dist file
for configuration description.
2.1.14. Pw (pw_usermod)
------------------------
Driver to change the systems user password via the 'pw usermod' command.
See config.inc.php.dist file for configuration description.
2.1.15. domainFACTORY (domainfactory)
-------------------------------------
Driver for the hosting provider domainFACTORY (www.df.eu).
No configuration options.
2.1.16. DBMail (dbmail)
------------------------
Driver that adds functionality to change the users DBMail password.
It only works with dbmail-users on the same host where Roundcube runs
and requires shell access and gcc in order to compile the binary
(see instructions in chgdbmailusers.c file).
See config.inc.php.dist file for configuration description.
Note: DBMail users can also use sql driver.
2.1.17. Expect (expect)
------------------------
Driver to change user password via the 'expect' command.
See config.inc.php.dist file for configuration description.
2.1.18. Samba (smb)
--------------------
Driver to change Samba user password via the 'smbpasswd' command.
See config.inc.php.dist file for configuration description.
2.1.19. Vpopmail daemon (vpopmaild)
-------------------------------------
Driver for the daemon of vpopmail. Vpopmail is used with qmail to
enable virtual users that are saved in a database and not in /etc/passwd.
Set $config['password_vpopmaild_host'] to the host where vpopmaild runs.
Set $config['password_vpopmaild_port'] to the port of vpopmaild.
Set $config['password_vpopmaild_timeout'] to the timeout used for the TCP
connection to vpopmaild (You may want to set it higher on busy servers).
2.1.20. Plesk (Plesk RPC-API)
-----------------------------
Driver for changing Passwords via Plesk RPC-API. This Driver also works with
Parallels Plesk Automation (PPA).
You need to allow the IP of the Roundcube-Server for RPC-Calls in the Panel.
Set $config['password_plesk_host'] to the Hostname / IP where Plesk runs
Set your Admin or RPC User: $config['password_plesk_user']
Set the Password of the User: $config['password_plesk_pass']
Set $config['password_plesk_rpc_port'] for the RPC-Port. Usually its 8443
Set the RPC-Path in $config['password_plesk_rpc_path']. Normally this is: enterprise/control/agent.php.
2.1.21. Kpasswd
---------------
Driver to change the password in Kerberos environments via the 'kpasswd' command.
See config.inc.php.dist file for configuration description.
2.1.22. Modoboa
---------------
Driver to change the password in Modoboa servers.
See config.inc.php.dist file for configuration description.
2.1.23. LDAP - Password Modify Extended Operation (ldap_exop)
-------------------------------------------------------------
Modified version of ldap_simple.
Password is changed using ldap_exop_passwd operation.
PHP >= 7.2 required.
2.2. Password Strength Drivers
------------------------------
Password plugin supports many password strength checking mechanisms which are
handled by included drivers. Just pass driver name in 'password_strength_driver' option.
2.2.1. Zxcvbn
-------------
Driver to use the Zxcvbn library to check password strength. Requires zxcvbn-php library.
The library is not distributed with Roundcube (see composer.json-dist).
Note: Required PHP's memory_limit >= 24M.
Set $config['password_zxcvbn_min_score'] to define minimum acceptable password strength score.
2.2.2. Have I been pwned? (pwned)
---------------------------------
Driver using "Have I been pwned?" (https://haveibeenpwned.com/Passwords) API to
check that entered passwords aren't already compromised (i.e., commonly known).
The check is performed locally, the actual password is *not* transmitted anywhere else.
Requires curl (preferred) or allow_url_fopen to work.
Example configuration:
$config['password_strength_driver'] = 'pwned';
$config['password_minimum_score'] = 3;
See the driver implementation file for more documentation.
3. Driver API
-------------
Driver file (<driver_name>.php) must define rcube_<driver_name>_password class. Drivers should
provide one or both of a public save() or check_strength() method.
All password changing drivers (used in config `password_driver` - the password driver) must have
a save() method. The same driver can also contain a check_strength() method or a separate driver
containing this method can be used in `password_strength_driver` (the strength driver). To enable
strength checks ensure `password_check_strength` is set to true.
The save() method, used for changing the password has three arguments:
First - current password, second - new password, third - current username.
This method should return PASSWORD_SUCCESS on success or any of PASSWORD_CONNECT_ERROR,
PASSWORD_CRYPT_ERROR, PASSWORD_ERROR when driver was unable to change password.
Extended result (as a hash-array with 'message' and 'code' items) can be returned
too. See existing drivers in drivers/ directory for examples.
Optionally a password driver can contain a compare() method which has three arguments:
First - current password, second - test password, third - compare type.
Compare type: PASSWORD_COMPARE_CURRENT - when comparing the test password with current password.
PASSWORD_COMPARE_NEW - when comparing the current password with the test password.
For PASSWORD_COMPARE_CURRENT it should return error text if user entered and real current password
DO NOT MATCH. For PASSWORD_COMPARE_NEW it should return error text if user entered and real current
password DO MATCH. Else it should return null (no error).
The check_strength() method, used for checking password strength has one argument: new password.
This method should return an array with tho elements:
- Score: integer from 1 (week) to 5 (strong)
- Reason for the score (optional)
Optionally a strength driver can contain a strength_rules() method. This has no arguments
and returns a string, or array of strings explaining the password strength rules.
4. Sudo setup
-------------
Some drivers that execute system commands (like chpasswd) require use of sudo command.
Here's a sample for CentOS 7:
# cat <<END >/etc/sudoers.d/99-roundcubemail
apache ALL=NOPASSWD:/usr/sbin/chpasswd
Defaults:apache !requiretty
<<END
Note: on different systems the username (here 'apache') may be different, e.g. www.
Note: on some systems the disabling tty line may not be needed.