View previous topic :: View next topic |
Author |
Message |
linuxguru43 n00b
Joined: 20 Oct 2005 Posts: 4
|
Posted: Fri Dec 09, 2005 10:06 am Post subject: HOWTO: allow user to change password in squirrelmail ... |
|
|
Using change_sqlpass plugin with vpopmail/mysql
I wanted to set up a way for users to change their password in squirrelmail without using an external page. I read about the major security flaws with the vpopmail plugin, so I decided to stay away from that. After many hours of troubleshooting the change_sqlpass plugin, I found that it can work! I thought I would share with everyone how I managed to get the change_sqlpass plugin to work with squirrelmail while using vpopmail and mysql.
INSTALLATION:
This has been tested and mostly works with the following versions(explanation later):
Programs:
MySQL 4.1.14
Squirrelmail 1.4.5
vpopmail 5.4.6
Squirrelmail Plugins:
change_sqlpass 3.3-1.2
compatibility 2.0.4
I am assuming that you have a working vpopmail/mysql/squirrelmail setup already. i.e. you can send and recieve emails, log into squirrelmail,etc.
First, extract the squirrelmail plugins into the plugins dir (change the dirs to match your setup).
tar xvzf change_sqlpass-3.3-1.2.tar.gz /var/www/localhost/webmail/plugins/
tar xvzf compatibility-2.0.4.tar.gz /var/www/localhost/webmail/plugins/
CONFIGURATION:
vpopmail stores the passwords in mysql using md5crypt. So we need to setup the change_sqlpass plugin to use this encryption technique. This is done in the config.php file in the plugins/change_sqlpass directory.
edit change_sqlpass/config.php. Change the following lines: NOTE:line numbers may not be exact. I have tweaked the file some while attempting to get this working.
Code: |
line 37:
$csp_dsn = 'mysql://vpopmail:password@localhost/vpopmail';
line 75:
$lookup_password_query = 'SELECT count(*) FROM vpopmail WHERE pw_name = "%2" AND pw_domain = "%3" AND pw_passwd = %4';
line 106:
'UPDATE vpopmail SET pw_passwd = %4 WHERE pw_name = "%2" AND pw_domain = "%3"',
line 150:
$password_encryption = 'MD5CRYPT';
line 179:
$csp_salt_static = '';
line 183:
$csp_salt_query = 'SELECT SUBSTRING(pw_passwd,4,9) FROM vpopmail WHERE pw_name = "%2"';
|
Edit functions.php. Add the following at line 15. There are errors present if the following files are not included:
Code: |
include_once(SM_PATH . 'functions/display_messages.php');
include_once(SM_PATH . 'plugins/change_sqlpass/md5crypt.php');
|
This should get most things working correctly except the one small problem I hinted at earlier. After a user changes their password using this extension, they must log out and re-login with the new password. If they don't, the site displays an "incorrect username or password" error then sends them back to the login page anyway.
If anyone knows how to correct this, let me know. For now, I added the following lines to the message displayed after the user successfully changes their password:
change_sqlpass/functions.php
line 306:
Code: |
$optpage_name = _("Password changed successfully.<br />Please use your new password to log in from now on.<br />WARNING:You must log out now and use your new password to login again! Failure to do so will result in errors!");
|
cd into the config folder and run ./conf.pl
select plugins - #8
add the change_sqlpass plugin
save and exit
That's it!
It's an ugly hack, but I don't have a better solution at this time.
I hope this is of use to somebody. |
|
Back to top |
|
|
tomk Bodhisattva
Joined: 23 Sep 2003 Posts: 7221 Location: Sat in front of my computer
|
Posted: Sat Dec 10, 2005 1:27 pm Post subject: |
|
|
Moved from Networking & Security to Documentation, Tips & Tricks. _________________ Search | Read | Answer | Report | Strip |
|
Back to top |
|
|
rev138 l33t
Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA
|
Posted: Wed Mar 21, 2007 11:01 pm Post subject: |
|
|
I am trying to get this to work with a Postgres database. It doesn't seem to like the fact that the change_sqlpass queries have double quotes (") in them. It wants single quotes ('). The problem is that the config.php file uses single quotes to parse the configuration settings.
Bleh. How can I fix this?
Thanks. _________________ Vermont Free PC
http://www.vtfreepc.org |
|
Back to top |
|
|
Insanity5902 Veteran
Joined: 23 Jan 2004 Posts: 1228 Location: Fort Worth, Texas
|
Posted: Thu Mar 22, 2007 2:46 am Post subject: |
|
|
I believe you can use backspace to allow the single quote within an single quote - \'
I think, not sure, haven't had to do that in a while. _________________ Join the adopt an unanswered post initiative today |
|
Back to top |
|
|
rev138 l33t
Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA
|
Posted: Mon Mar 26, 2007 7:38 pm Post subject: |
|
|
Aha! That works... sort of.
Now I don't get an error, because I'm wrapping single quotes around the password value inserted by the plugin -- but that password is still wrapped in double quotes.
Now, instead of passing "<encrypted passwd>" to the SQL database, it's passing '"<encrypted passwd>"'
That makes Postgres happy, but totally breaks authentication. It looks like I'll have to hack the plugin to stop using double quotes. Any ideas where to start? I'm a php n00b. _________________ Vermont Free PC
http://www.vtfreepc.org |
|
Back to top |
|
|
rev138 l33t
Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA
|
Posted: Mon Mar 26, 2007 8:01 pm Post subject: |
|
|
Aha! There's a place in fucntions.php where it explicitly adds double quotes to the strings. I just deleted the quotes from there, and escape the single quotes in config.php. Works perfectly now
Thanks for the help. _________________ Vermont Free PC
http://www.vtfreepc.org |
|
Back to top |
|
|
HT12g n00b
Joined: 03 Aug 2012 Posts: 1
|
Posted: Fri Aug 03, 2012 4:25 pm Post subject: Re: HOWTO: allow user to change password in squirrelmail ... |
|
|
linuxguru43 wrote: | Using change_sqlpass plugin with vpopmail/mysql
Code: |
line 150:
$password_encryption = 'MD5CRYPT';
line 179:
$csp_salt_static = '';
line 183:
$csp_salt_query = 'SELECT SUBSTRING(pw_passwd,4,9) FROM vpopmail WHERE pw_name = "%2"';
|
|
Thank you very much! It works like a charm! |
|
Back to top |
|
|
|