Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: allow user to change password in squirrelmail ...
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
linuxguru43
n00b
n00b


Joined: 20 Oct 2005
Posts: 4

PostPosted: Fri Dec 09, 2005 10:06 am    Post subject: HOWTO: allow user to change password in squirrelmail ... Reply with quote

Using change_sqlpass plugin with vpopmail/mysql

I wanted to set up a way for users to change their password in squirrelmail without using an external page. I read about the major security flaws with the vpopmail plugin, so I decided to stay away from that. After many hours of troubleshooting the change_sqlpass plugin, I found that it can work! I thought I would share with everyone how I managed to get the change_sqlpass plugin to work with squirrelmail while using vpopmail and mysql.

INSTALLATION:

This has been tested and mostly works with the following versions(explanation later):
Programs:
MySQL 4.1.14
Squirrelmail 1.4.5
vpopmail 5.4.6

Squirrelmail Plugins:
change_sqlpass 3.3-1.2
compatibility 2.0.4


I am assuming that you have a working vpopmail/mysql/squirrelmail setup already. i.e. you can send and recieve emails, log into squirrelmail,etc.

First, extract the squirrelmail plugins into the plugins dir (change the dirs to match your setup).
tar xvzf change_sqlpass-3.3-1.2.tar.gz /var/www/localhost/webmail/plugins/
tar xvzf compatibility-2.0.4.tar.gz /var/www/localhost/webmail/plugins/

CONFIGURATION:

vpopmail stores the passwords in mysql using md5crypt. So we need to setup the change_sqlpass plugin to use this encryption technique. This is done in the config.php file in the plugins/change_sqlpass directory.

edit change_sqlpass/config.php. Change the following lines: NOTE:line numbers may not be exact. I have tweaked the file some while attempting to get this working. :-P

Code:

line 37:
$csp_dsn = 'mysql://vpopmail:password@localhost/vpopmail';

line 75:
$lookup_password_query = 'SELECT count(*) FROM vpopmail WHERE pw_name = "%2" AND pw_domain = "%3" AND pw_passwd = %4';

line 106:
'UPDATE vpopmail SET pw_passwd = %4 WHERE pw_name = "%2" AND pw_domain = "%3"',

line 150:
$password_encryption = 'MD5CRYPT';

line 179:
$csp_salt_static = '';

line 183:
$csp_salt_query = 'SELECT SUBSTRING(pw_passwd,4,9) FROM vpopmail WHERE pw_name = "%2"';


Edit functions.php. Add the following at line 15. There are errors present if the following files are not included:

Code:

include_once(SM_PATH . 'functions/display_messages.php');
include_once(SM_PATH . 'plugins/change_sqlpass/md5crypt.php');


This should get most things working correctly except the one small problem I hinted at earlier. After a user changes their password using this extension, they must log out and re-login with the new password. If they don't, the site displays an "incorrect username or password" error then sends them back to the login page anyway.

If anyone knows how to correct this, let me know. For now, I added the following lines to the message displayed after the user successfully changes their password:

change_sqlpass/functions.php
line 306:
Code:

$optpage_name = _("Password changed successfully.<br />Please use your new password to log in from now on.<br />WARNING:You must log out now and use your new password to login again! Failure to do so will result in errors!");


cd into the config folder and run ./conf.pl
select plugins - #8
add the change_sqlpass plugin
save and exit

That's it!

It's an ugly hack, but I don't have a better solution at this time.


I hope this is of use to somebody.
Back to top
View user's profile Send private message
tomk
Administrator
Administrator


Joined: 23 Sep 2003
Posts: 7219
Location: Sat in front of my computer

PostPosted: Sat Dec 10, 2005 1:27 pm    Post subject: Reply with quote

Moved from Networking & Security to Documentation, Tips & Tricks.
_________________
Search | Read | Answer | Report | Strip
Back to top
View user's profile Send private message
rev138
l33t
l33t


Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA

PostPosted: Wed Mar 21, 2007 11:01 pm    Post subject: Reply with quote

I am trying to get this to work with a Postgres database. It doesn't seem to like the fact that the change_sqlpass queries have double quotes (") in them. It wants single quotes ('). The problem is that the config.php file uses single quotes to parse the configuration settings.

Bleh. How can I fix this?

Thanks.
_________________
Vermont Free PC
http://www.vtfreepc.org
Back to top
View user's profile Send private message
Insanity5902
Veteran
Veteran


Joined: 23 Jan 2004
Posts: 1228
Location: Fort Worth, Texas

PostPosted: Thu Mar 22, 2007 2:46 am    Post subject: Reply with quote

I believe you can use backspace to allow the single quote within an single quote - \'

I think, not sure, haven't had to do that in a while.
_________________
GibbonsR.net | OpenLaptops.org

Join the adopt an unanswered post initiative today
Back to top
View user's profile Send private message
rev138
l33t
l33t


Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA

PostPosted: Mon Mar 26, 2007 7:38 pm    Post subject: Reply with quote

Aha! That works... sort of.

Now I don't get an error, because I'm wrapping single quotes around the password value inserted by the plugin -- but that password is still wrapped in double quotes.

Now, instead of passing "<encrypted passwd>" to the SQL database, it's passing '"<encrypted passwd>"'

That makes Postgres happy, but totally breaks authentication. It looks like I'll have to hack the plugin to stop using double quotes. Any ideas where to start? I'm a php n00b.
_________________
Vermont Free PC
http://www.vtfreepc.org
Back to top
View user's profile Send private message
rev138
l33t
l33t


Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA

PostPosted: Mon Mar 26, 2007 8:01 pm    Post subject: Reply with quote

Aha! There's a place in fucntions.php where it explicitly adds double quotes to the strings. I just deleted the quotes from there, and escape the single quotes in config.php. Works perfectly now :)

Thanks for the help.
_________________
Vermont Free PC
http://www.vtfreepc.org
Back to top
View user's profile Send private message
HT12g
n00b
n00b


Joined: 03 Aug 2012
Posts: 1

PostPosted: Fri Aug 03, 2012 4:25 pm    Post subject: Re: HOWTO: allow user to change password in squirrelmail ... Reply with quote

linuxguru43 wrote:
Using change_sqlpass plugin with vpopmail/mysql


Code:


line 150:
$password_encryption = 'MD5CRYPT';

line 179:
$csp_salt_static = '';

line 183:
$csp_salt_query = 'SELECT SUBSTRING(pw_passwd,4,9) FROM vpopmail WHERE pw_name = "%2"';





Thank you very much! It works like a charm!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum