Frantisek Hanzlik wrote:
> on my system (Fedora 11 i386, squirrelmail-1.4.19, change_pass-3.0,
> poppassd-1.8.5) "change_pass" plugin behaves incorrectly when user
> pass new password, which is unsuitable for PAM subsystem.
> "poppassd" daemon on that passwd respond like this:
> 500 PAM error: BAD PASSWORD: it is based on a dictionary word
> 500 PAM error: BAD PASSWORD: is too simple
> 200 Password changed, thank-you.
> (i.e. PAM doesn't like it, but as poppassd daemon run as root, password
> is changed - third line tell truly about it).
> But change_pass plugin seems to test return code on first response line
> (500) and inform user that "Password change was not successful!".
> Second problem - what if I want respect PAM dissatisfaction with weakly
> designed password (and want disabling that password change - i.e. simply
> behavior, as if password change is done by non-root user) ? Maybe some
> better response parsing with some option as OBEY_PAM_WARNINGS ;) in
> plugins/change_pass/options.php can solve this, but I'm not programmer...
> Regards, Franta Hanzlik
poppass was designed to use response codes modeled after FTP. 5xx codes
are codes for permanent failure. If poppassd is going to treat those PAM
errors as non fatal, they need use a different error code (most likely 100).
Since there are many different poppassd programs for different systems
with different error messages, adding support for them would be non-
trivial. And is unlikely to happen. The devel versions of SquirrelMail
include a front end with verification with multiple backends. That would
be the best place to add such options. Possibly doing the dictionary
look ups and complexity checks before ever passing it to the backend.