An Eudora and NUPOP change password server. Version 1.7-CETI with PAM support. HOW IT WORKS? The idea is that poppassd daemon is never accessible from the outside. This is intended to work only with WWW interface, such as PopPass by Jerry Workman <jerry@newwave.net>. It is IMHO more secure and less complicated than using SUID CGI scripts or CGI wrappers to /bin/passwd. User fills a WWW form which is then processed by PopPass program. PopPass checks if the data seems to be correct (passwords are same and long enough), connects to the poppassd daemon which performs the real password change. For better security it is recommended to configure PopPass to connect to poppassd on localhost and block access to the port 106 from other machines. This is described below. INSTALLATION: 1. Edit Makefile if necessary and type 'make'. 2. Install in /usr/sbin, owned by root and executable only by root. 3. Add to /etc/inetd.conf: poppassd stream tcp nowait root /usr/sbin/tcpd poppassd 4. Add do /etc/services: poppassd 106/tcp 5. Configure tcpd to refuse connection to poppassd from all hosts but localhost. I have tcpd compiled with -DOPTIONS and my /etc/hosts.deny entry looks like: poppassd: nobody@localhost: allow poppassd: ALL: deny You may need to change 'nobody' to the user your httpd is running as. It's also worth considering to block all incoming TCP packets to port 106 on your router. 6. Add to /etc/syslog.conf: local4.err /var/log/poppassd 7. Install PopPass on you WWW server. CREDITS Based on poppassd by John Norstad <j-norstad@nwu.edu>, Roy Smith <roy@nyu.edu> and Daniel L. Leavitt <dll@mitre.org>. Shadow file update code taken from shadow-960810 by John F. Haugh II <jfh@rpp386.cactus.org> and Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> This version was modified to work directly on Linux shadow files. It includes a few additions like delay after incorrect password. Version 1.5 fixes bug which caused usernames containing characters like underscore '_' to be ignored. I've also added new compilation flag -DALLOW_NULL_PASSWORDS, which makes exactly what it means ;) I've needed it for automated accounts creation. Don't use it if unless you really need it - this can be a security hole.I Version 1.7 uses PAM. Thanks to Mikolaj Rydzewski <mikir@kki.net.pl> for giving me a clue how to use PAM conversion function in his wwwpasswd. Version 1.8 fixes minor bugs. -- Pawel Krawczyk <kravietz@ceti.com.pl>