Re: [courier-users] Re: webmail doesn't like asterisk in password? - marc lindahl - net.sourceforge.lists.courier-users

75 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Re: webmail doesn...

From	Sent On	Attachments
M.B.	Feb 15, 2002 8:25 pm
Sam Varshavchik	Feb 15, 2002 9:00 pm
Juha Saarinen	Feb 15, 2002 9:13 pm
M.B.	Feb 16, 2002 12:37 am
M.B.	Feb 16, 2002 12:51 am
Juha Saarinen	Feb 16, 2002 1:34 am
M.B.	Feb 16, 2002 1:37 am
Juha Saarinen	Feb 16, 2002 1:41 am
M.B.	Feb 16, 2002 2:28 am
M.B.	Feb 16, 2002 2:30 am
Sam Varshavchik	Feb 16, 2002 6:38 am
William Rowden	Feb 16, 2002 9:31 am
M.B.	Feb 16, 2002 4:05 pm
Sam Varshavchik	Feb 16, 2002 4:39 pm
M.B.	Feb 16, 2002 7:11 pm
M.B.	Feb 16, 2002 7:29 pm
Tucker	Feb 16, 2002 7:42 pm
Sam Varshavchik	Feb 16, 2002 7:49 pm
M.B.	Feb 16, 2002 7:55 pm
M.B.	Feb 16, 2002 7:57 pm
Sam Varshavchik	Feb 16, 2002 8:06 pm
M.B.	Feb 17, 2002 8:57 am
M.B.	Feb 17, 2002 9:02 am
M.B.	Feb 17, 2002 10:23 am
Sam Varshavchik	Feb 17, 2002 12:32 pm
M.B.	Feb 17, 2002 3:23 pm
M.B.	Feb 17, 2002 3:53 pm
M.B.	Feb 17, 2002 7:53 pm
Juha Saarinen	Feb 17, 2002 8:09 pm
M.B.	Feb 17, 2002 8:28 pm
M.B.	Feb 17, 2002 8:44 pm
David M. Stowell	Feb 17, 2002 9:07 pm
Sam Varshavchik	Feb 17, 2002 9:19 pm
Juha Saarinen	Feb 17, 2002 10:21 pm
Juha Saarinen	Feb 17, 2002 10:24 pm
David M. Stowell	Feb 17, 2002 10:29 pm
David M. Stowell	Feb 17, 2002 10:32 pm
M.B.	Feb 17, 2002 11:17 pm
M.B.	Feb 17, 2002 11:22 pm
M.B.	Feb 18, 2002 12:53 am
Sysop	Feb 18, 2002 8:28 am
William Rowden	Feb 18, 2002 11:34 am
M.B.	Feb 18, 2002 3:42 pm
David M. Stowell	Feb 18, 2002 4:49 pm
M.B.	Feb 18, 2002 5:15 pm
David M. Stowell	Feb 18, 2002 5:26 pm
M.B.	Feb 18, 2002 7:21 pm
David M. Stowell	Feb 18, 2002 7:45 pm
Juha Saarinen	Feb 18, 2002 8:09 pm
Sam Varshavchik	Feb 18, 2002 8:41 pm
marc lindahl	Feb 20, 2002 12:19 am
marc lindahl	Feb 22, 2002 6:16 am
Anand Buddhdev	Feb 22, 2002 6:28 am
marc lindahl	Feb 22, 2002 8:23 am
marc lindahl	Feb 22, 2002 8:44 am
Juha Saarinen	Feb 22, 2002 11:36 am
M.B.	Feb 23, 2002 11:55 pm
Jan Lange	Feb 24, 2002 5:06 am
marc lindahl	Feb 24, 2002 10:10 am
marc lindahl	Feb 24, 2002 10:16 am
marc lindahl	Feb 24, 2002 1:38 pm
Sam Varshavchik	Feb 24, 2002 1:46 pm
Anand Buddhdev	Feb 24, 2002 2:07 pm
marc lindahl	Feb 24, 2002 2:31 pm
Sam Varshavchik	Feb 24, 2002 2:45 pm
Juha Saarinen	Feb 24, 2002 2:53 pm
marc lindahl	Feb 24, 2002 2:59 pm
Anand Buddhdev	Feb 24, 2002 5:40 pm
marc lindahl	Feb 24, 2002 6:13 pm
Francois PHILIPPO	Feb 24, 2002 11:59 pm
Sam Varshavchik	Feb 25, 2002 4:35 am
Robert L Mathews	Feb 25, 2002 12:03 pm
marc lindahl	Feb 25, 2002 2:14 pm
Robert L Mathews	Feb 25, 2002 3:23 pm
marc lindahl	Mar 4, 2002 3:11 am

Subject:	Re: [courier-users] Re: webmail doesn't like asterisk in password?
From:	marc lindahl (ma...@bowery.com)
Date:	Feb 25, 2002 2:14:45 pm
List:	net.sourceforge.lists.courier-users

From: Robert L Mathews <lis...@tigertech.com>

I traced through the code and verified to my own satisfaction that the password can never be passed to the shell in the first case (user login). Therefore, I disabled the badstr() check in that case, and users can now login with their funky passwords.

Strange.... I did that and it still doesn't work. Here's my change in webmail/auth.c::login:

if (badstr(uid)) /* || badstr(pass))*/ return (NULL);

I just commented out checking the password only.

The second case (user changing password) is NOT safe to disable, as the password may be passed to the shell by password-changing modules. I left the badstr() check in place there.

Good point, potentially, but in reality PAM checks with cracklib, so where's the security hole? Services should be modular and not distributed, right (one of them being qualifying passwords)?

I also found password filtering in authlib/authdaemond.c::passwd() and disabled that but still there's some checking somewhere else, I can't seem to find (ver 0.37.2)

thanks for the help though!

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets