Hi all, This is a SUMMARY regarding this posting I made to the list a few weeks ago (approx). Alas, I can't even find my copy of the original query so paraphrase it below; nor can I find the three replies I recived from kind folks (sorry for not giving credit where due as a consequence). ---------------------------------------------------------- Original question was (more-or-less): Given a "blackbox mail server" on which users have local accounts but no shell access (i.e., shell is set to /bin/false for all accounts except admin, root) - is there a straightforward way to permit end-users to change their own passwords, and setup / configure mail forwarding/vacation message settings - ideally through a nice WWW-type interface. The box is running solaris 8 (10/00, 12/00 jumbo patch); POP server from Sun and Postfix for SMTP. ---------------------------------------------------------- Suggested solutions were: (1) specify the shell in the file, /etc/passwd, for all "users" as /bin/passwd instead of /bin/false. This permits them to telnet onto the "blackbox". Once they authenticate successfully (standard login), they are then prompted for old password, new password, confirm new password. If this is done successfully they are kicked off the server and their password has been changed. (2) two folks suggested I investigate "webmin" (http://www.webmin.com), a web-based management package which is modular / configurable. Alas, I had previously investigated this and determined its focus is to provide "admin level access" (full access to high level admin functions) rather than "user level access" (ie, authenticate the user and then let them do something like set their own password). Without building a new module from scratch for use in webmin, I don't think I could use it to achieve my goals. Since I asked the question, I've done a bit more digging and found a 3rd alternative which may be of interest to people - hence I mention it here. For quite some time, there has been a daemon available from qualcomm for use from the Eudora mail client called "Poppass.d" - it listens on port 106 for a connection and interactively allows you to authenticate, then specify a new password. This thing has evolved with time and despite obvious "security issues" (cleartext password transmission - no worse than POP3 though - IMHO), "Somewhat less insecure" versions exist. In particular: http://www.usg.edu/oiit/support/build/poppasswd.html , which seems to be tweaked by the systems people @ the university of Georgia, is tweaked such that -it works on solaris 2.X (unlike most prior versions of poppassd that I mucked about with) -flags passed to poppassd via command line allow constraint of which GROUPS it will even think about allowing member-users to change their passwords via this tool -it works with TCP Wrappers, permitting further control of who can attack your server via this port :-) So: The other reason poppassd is of interest is that Jerry Workman of Mountain Software (http://www.newwave.net/~jerry/poppass.html) has made freely available a perl CGI appropriate for use with a web server to provide a web-interface onto the PopPass daemon. Like all good perl CGIs it appears to be very easy to customize (i.e., brand it with a logo, etc etc). which is an added bonus :-) Finally: For the really security concious out there, I can envision a solution where -poppassd runs listening to port 106, protected by TCP wrappers to ONLY accept connections from ITSELF -this machine is also running an SSL-only web server (Apache ModSSL would be my choice) which has the poppass CGI available at a known URL. For the truly paranoid, run the SSL server on an atypical port and require server-issued SSL certs for all your clients to even get access :-) Bingo - you now have a pretty secure GUI / web interface way for users to change their passwords on the blackbox mail server. (I'm quite sure I'm not going to go this far in paranoia - I may even leave port 106 open to the workgroup subnet where windoze users run Eudora, which is by coincidence the mail client of choice here - since this is a conveninent option too, allowing them to change their password from within their mail client). Alas, this does nothing to address the query of user-web-gui for vacation messages / forwarding - but it is a bit of a start. And - to be honest - I am **amazed** that there isn't anything else out there for solaris, given the abundance of such things for "linux-based-server-appliances" like e-smith or Cobalt-RAQ. Sigh. I guess it just isn't considered a "solaris kind of thing" ? Anyhow. That is the summary. I hope it is of slight use / interest to anyone else who may be out there (now or in the future?) seeking to achieve similar things. And, of course, if anyone *does* find a better way to do this - or to address the issue of web-vacation-forwarding interface :-) -- Please let me know. Thanks, Tim ChipmanReceived on Fri Apr 20 16:16:22 2001
This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:24:53 EDT