1 ----------------------------------------------------------------------- 2 Password Plugin for Roundcube 3 ----------------------------------------------------------------------- 4 Plugin that adds a possibility to change user password using many 5 methods (drivers) via Settings/Password tab. 6 ----------------------------------------------------------------------- 7 This program is free software: you can redistribute it and/or modify 8 it under the terms of the GNU General Public License as published by 9 the Free Software Foundation, either version 3 of the License, or 10 (at your option) any later version. 11 12 This program is distributed in the hope that it will be useful, 13 but WITHOUT ANY WARRANTY; without even the implied warranty of 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 GNU General Public License for more details. 16 17 You should have received a copy of the GNU General Public License 18 along with this program. If not, see http://www.gnu.org/licenses/. 19 20 @author Aleksander Machniak <alec@alec.pl> 21 @author <see driver files for driver authors> 22 ----------------------------------------------------------------------- 23 24 1. Configuration 25 2. Drivers 26 2.1. Password Change Drivers 27 2.1.1. Database (sql) 28 2.1.2. Cyrus/SASL (sasl) 29 2.1.3. Poppassd/Courierpassd (poppassd) 30 2.1.4. LDAP (ldap) 31 2.1.5. DirectAdmin Control Panel (directadmin) 32 2.1.6. cPanel 33 2.1.7. XIMSS/Communigate (ximms) 34 2.1.8. Virtualmin (virtualmin) 35 2.1.9. hMailServer (hmail) 36 2.1.10. PAM (pam) 37 2.1.11. Chpasswd (chpasswd) 38 2.1.12. LDAP - no PEAR (ldap_simple) 39 2.1.13. XMail (xmail) 40 2.1.14. Pw (pw_usermod) 41 2.1.15. domainFACTORY (domainfactory) 42 2.1.16. DBMail (dbmail) 43 2.1.17. Expect (expect) 44 2.1.18. Samba (smb) 45 2.1.19. Vpopmail daemon (vpopmaild) 46 2.1.20. Plesk (Plesk RPC-API) 47 2.1.21. Kpasswd 48 2.1.22. Modoboa 49 2.1.23. LDAP - Password Modify Extended Operation (ldap_exop) 50 2.1.24. TinyCP 51 2.1.25. Mail-in-a-Box (miab) 52 2.1.26. HTTP-API (httpapi) 53 2.1.27. dovecot_passwdfile 54 2.2. Password Strength Drivers 55 2.2.1. Zxcvbn 56 2.2.2. Have I been pwned? (pwned) 57 3. Driver API 58 4. Sudo setup 59 60 61 1. Configuration 62 ---------------- 63 64 Copy config.inc.php.dist to config.inc.php and set the options as described 65 within the file. 66 67 68 2. Drivers 69 ---------- 70 71 72 2.1. Password Change Drivers 73 ---------------------------- 74 75 Password plugin supports many password change mechanisms which are 76 handled by included drivers. Just pass driver name in 'password_driver' option. 77 78 79 2.1.1. Database (sql) 80 --------------------- 81 82 You can specify which database to connect by 'password_db_dsn' option and 83 what SQL query to execute by 'password_query'. See config.inc.php.dist file for 84 more info. 85 86 Example implementations of an update_passwd function: 87 88 - This is for use with LMS (http://lms.org.pl) database and postgres: 89 90 CREATE OR REPLACE FUNCTION update_passwd(hash text, account text) RETURNS integer AS $$ 91 DECLARE 92 res integer; 93 BEGIN 94 UPDATE passwd SET password = hash 95 WHERE login = split_part(account, '@', 1) 96 AND domainid = (SELECT id FROM domains WHERE name = split_part(account, '@', 2)) 97 RETURNING id INTO res; 98 RETURN res; 99 END; 100 $$ LANGUAGE plpgsql SECURITY DEFINER; 101 102 - This is for use with a SELECT update_passwd(%o,%c,%u) query 103 Updates the password only when the old password matches the MD5 password 104 in the database 105 106 CREATE FUNCTION update_password (oldpass text, cryptpass text, user text) RETURNS text 107 MODIFIES SQL DATA 108 BEGIN 109 DECLARE currentsalt varchar(20); 110 DECLARE error text; 111 SET error = 'incorrect current password'; 112 SELECT substring_index(substr(user.password,4),_latin1'$',1) INTO currentsalt FROM users WHERE username=user; 113 SELECT '' INTO error FROM users WHERE username=user AND password=ENCRYPT(oldpass,currentsalt); 114 UPDATE users SET password=cryptpass WHERE username=user AND password=ENCRYPT(oldpass,currentsalt); 115 RETURN error; 116 END 117 118 Example SQL UPDATEs: 119 120 - Plain text passwords: 121 UPDATE users SET password=%p WHERE username=%u AND password=%o AND domain=%h LIMIT 1 122 123 - Crypt text passwords: 124 UPDATE users SET password=%c WHERE username=%u LIMIT 1 125 126 - Use a MYSQL crypt function (*nix only) with random 8 character salt 127 UPDATE users SET password=ENCRYPT(%p,concat(_utf8'$1$',right(md5(rand()),8),_utf8'$')) WHERE username=%u LIMIT 1 128 129 - MD5 stored passwords: 130 UPDATE users SET password=MD5(%p) WHERE username=%u AND password=MD5(%o) LIMIT 1 131 132 133 2.1.2. Cyrus/SASL (sasl) 134 ------------------------ 135 136 Cyrus SASL database authentication allows your Cyrus+Roundcube 137 installation to host mail users without requiring a Unix Shell account! 138 139 This driver only covers the "sasldb" case when using Cyrus SASL. Kerberos 140 and PAM authentication mechanisms will require other techniques to enable 141 user password manipulations. 142 143 Cyrus SASL includes a shell utility called "saslpasswd" for manipulating 144 user passwords in the "sasldb" database. This plugin attempts to use 145 this utility to perform password manipulations required by your webmail 146 users without any administrative interaction. Unfortunately, this 147 scheme requires that the "saslpasswd" utility be run as the "cyrus" 148 user - kind of a security problem since we have chosen to SUID a small 149 script which will allow this to happen. 150 151 This driver is based on the Squirrelmail Change SASL Password Plugin. 152 See http://www.squirrelmail.org/plugin_view.php?id=107 for details. 153 154 Installation: 155 156 Change into the helpers directory. Edit the chgsaslpasswd.c file as is 157 documented within it. 158 159 Compile the wrapper program: 160 gcc -o chgsaslpasswd chgsaslpasswd.c 161 162 Chown the compiled chgsaslpasswd binary to the cyrus user and group 163 that your browser runs as, then chmod them to 4550. 164 165 For example, if your cyrus user is 'cyrus' and the apache server group is 166 'nobody' (I've been told Red Hat runs Apache as user 'apache'): 167 168 chown cyrus:nobody chgsaslpasswd 169 chmod 4550 chgsaslpasswd 170 171 Stephen Carr has suggested users should try to run the scripts on a test 172 account as the cyrus user eg; 173 174 su cyrus -c "./chgsaslpasswd -p test_account" 175 176 This will allow you to make sure that the script will work for your setup. 177 Should the script not work, make sure that: 178 1) the user the script runs as has access to the saslpasswd|saslpasswd2 179 file and proper permissions 180 2) make sure the user in the chgsaslpasswd.c file is set correctly. 181 This could save you some headaches if you are the paranoid type. 182 183 184 2.1.3. Poppassd/Courierpassd (poppassd) 185 --------------------------------------- 186 187 You can specify which host to connect to via 'password_pop_host' and 188 what port via 'password_pop_port'. See config.inc.php.dist file for more info. 189 190 191 2.1.4. LDAP (ldap) 192 ------------------ 193 194 See config.inc.php.dist file. Requires PEAR::Net_LDAP2 package. 195 196 197 2.1.5. DirectAdmin Control Panel (directadmin) 198 ---------------------------------------------- 199 200 You can specify which host to connect to via 'password_directadmin_host' (don't 201 forget to use tcp:// or ssl://) and what port via 'password_directadmin_port'. 202 The password enforcement with plenty customization can be done directly by 203 DirectAdmin, please see http://www.directadmin.com/features.php?id=910 204 See config.inc.php.dist file for more info. 205 206 207 2.1.6. cPanel 208 ------------- 209 210 Specify the host to connect to via 'password_cpanel_host'. This driver 211 comes with a minimal UAPI implementation and does not use the external xmlapi 212 class. It requires php-curl extension. 213 214 See config.inc.php.dist file for more info. 215 216 217 2.1.7. XIMSS/Communigate (ximms) 218 -------------------------------- 219 220 You can specify which host and port to connect to via 'password_ximss_host' 221 and 'password_ximss_port'. See config.inc.php.dist file for more info. 222 223 224 2.1.8. Virtualmin (virtualmin) 225 ------------------------------ 226 227 As in sasl driver this one allows to change password using shell 228 utility called "virtualmin". See helpers/chgvirtualminpasswd.c for 229 installation instructions. Requires virtualmin >= 4.09. 230 231 232 2.1.9. hMailServer (hmail) 233 -------------------------- 234 235 Requires PHP COM (Windows only). For access to hMail server on remote host 236 you'll need to define 'hmailserver_remote_dcom' and 'hmailserver_server'. 237 See config.inc.php.dist file for more info. 238 239 240 2.1.10. PAM (pam) 241 ----------------- 242 243 This driver is for changing passwords of shell users authenticated with PAM. 244 Requires PECL's PAM extension to be installed (http://pecl.php.net/package/PAM). 245 246 247 2.1.11. Chpasswd (chpasswd) 248 --------------------------- 249 250 Driver that adds functionality to change the systems user password via 251 the 'chpasswd' command. See config.inc.php.dist file. 252 253 Attached wrapper script (helpers/chpass-wrapper.py) restricts password changes 254 to uids >= 1000 and can deny requests based on a blacklist. 255 256 257 2.1.12. LDAP - no PEAR (ldap_simple) 258 ------------------------------------- 259 260 It's rewritten ldap driver that doesn't require the Net_LDAP2 PEAR extension. 261 It uses directly PHP's ldap module functions instead (as Roundcube does). 262 263 This driver is fully compatible with the ldap driver, but 264 does not require (or uses) the 265 $config['password_ldap_force_replace'] variable. 266 Other advantages: 267 * Connects only once with the LDAP server when using the search user. 268 * Does not read the DN, but only replaces the password within (that is 269 why the 'force replace' is always used). 270 271 272 2.1.13. XMail (xmail) 273 ---------------------- 274 275 Driver for XMail (www.xmailserver.org). See config.inc.php.dist file 276 for configuration description. 277 278 279 2.1.14. Pw (pw_usermod) 280 ------------------------ 281 282 Driver to change the systems user password via the 'pw usermod' command. 283 See config.inc.php.dist file for configuration description. 284 285 286 2.1.15. domainFACTORY (domainfactory) 287 ------------------------------------- 288 289 Driver for the hosting provider domainFACTORY (www.df.eu). 290 No configuration options. 291 292 293 2.1.16. DBMail (dbmail) 294 ------------------------ 295 296 Driver that adds functionality to change the users DBMail password. 297 It only works with dbmail-users on the same host where Roundcube runs 298 and requires shell access and gcc in order to compile the binary 299 (see instructions in chgdbmailusers.c file). 300 See config.inc.php.dist file for configuration description. 301 302 Note: DBMail users can also use sql driver. 303 304 305 2.1.17. Expect (expect) 306 ------------------------ 307 308 Driver to change user password via the 'expect' command. 309 See config.inc.php.dist file for configuration description. 310 311 312 2.1.18. Samba (smb) 313 -------------------- 314 315 Driver to change Samba user password via the 'smbpasswd' command. 316 See config.inc.php.dist file for configuration description. 317 318 319 2.1.19. Vpopmail daemon (vpopmaild) 320 ------------------------------------- 321 322 Driver for the daemon of vpopmail. Vpopmail is used with qmail to 323 enable virtual users that are saved in a database and not in /etc/passwd. 324 325 Set $config['password_vpopmaild_host'] to the host where vpopmaild runs. 326 327 Set $config['password_vpopmaild_port'] to the port of vpopmaild. 328 329 Set $config['password_vpopmaild_timeout'] to the timeout used for the TCP 330 connection to vpopmaild (You may want to set it higher on busy servers). 331 332 333 2.1.20. Plesk (Plesk RPC-API) 334 ----------------------------- 335 336 Driver for changing Passwords via Plesk RPC-API. This Driver also works with 337 Parallels Plesk Automation (PPA). 338 339 You need to allow the IP of the Roundcube-Server for RPC-Calls in the Panel. 340 341 Set $config['password_plesk_host'] to the Hostname / IP where Plesk runs 342 Set your Admin or RPC User: $config['password_plesk_user'] 343 Set the Password of the User: $config['password_plesk_pass'] 344 Set $config['password_plesk_rpc_port'] for the RPC-Port. Usually its 8443 345 Set the RPC-Path in $config['password_plesk_rpc_path']. Normally this is: enterprise/control/agent.php. 346 347 348 2.1.21. Kpasswd 349 --------------- 350 351 Driver to change the password in Kerberos environments via the 'kpasswd' command. 352 See config.inc.php.dist file for configuration description. 353 354 355 2.1.22. Modoboa 356 --------------- 357 358 Driver to change the password in Modoboa servers. 359 See config.inc.php.dist file for configuration description. 360 361 362 2.1.23. LDAP - Password Modify Extended Operation (ldap_exop) 363 ------------------------------------------------------------- 364 365 Modified version of ldap_simple. 366 Password is changed using ldap_exop_passwd operation. 367 PHP >= 7.2 required. 368 369<<<<<<< HEAD 370 371 2.1.24 TinyCP 372 ------------- 373 374 Download the TinyCPConnector.php file from your TinyCP Settings page and 375 save it into the password/drivers folder. Update/resolve file permissions for 376 www-data/apache. 377 Set the password_tinycp_host, password_tinycp_port, password_tinycp_user, and 378 password_tinycp_pass in plugin's config.inc.php file. 379 380 381 2.1.25 Mail-in-a-Box (miab) 382 --------------------------- 383 Driver to change the password on Mail-in-a-Box servers. 384 See config.inc.php.dist file for configuration description. 385 386 387 2.1.26. HTTP-API (httpapi) 388 -------------------------- 389 390 Driver to change the user's password via any HTTP/HTTPS POST/GET API in a 391 generic manner. It passes any of the username, curpass and newpass variables 392 to the configured POST or GET parameters at the configured URL. 393 394 Any 4xx error code (except 404) is assumed to mean the password change failed. 395 404 or any other non-2xx error code, or failure to connect, is assumed to be a 396 connection error and is reported as such. 397 398 A 2xx response is generally assumed to mean the password changed succeeded. 399 Optionally, you can configure a regular expression to check the response as 400 well to verify this. 401 402 403 2.1.27. dovecot_passwdfile 404 -------------------------- 405 406 Driver that adds functionality to change the passwords in dovecot 2 passwd-file files 407 regarding https://doc.dovecot.org/configuration_manual/authentication/passwd_file. 408 409 Set 'password_dovecot_passwdfile_path' to your dovecot passwd-file location and 410 'password_algorithm' (and related options) to the algorithm you want the passwords 411 stored in the file to be using. 412 413 414 2.2. Password Strength Drivers 415 ------------------------------ 416 417 Password plugin supports many password strength checking mechanisms which are 418 handled by included drivers. Just pass driver name in 'password_strength_driver' option. 419 420 421 2.2.1. Zxcvbn 422 ------------- 423 424 Driver to use the Zxcvbn library to check password strength. Requires zxcvbn-php library. 425 The library is not distributed with Roundcube (see composer.json-dist). 426 Note: Required PHP's memory_limit >= 24M. 427 428 Set $config['password_zxcvbn_min_score'] to define minimum acceptable password strength score. 429 430 2.2.2. Have I been pwned? (pwned) 431 --------------------------------- 432 433 Driver using "Have I been pwned?" (https://haveibeenpwned.com/Passwords) API to 434 check that entered passwords aren't already compromised (i.e., commonly known). 435 The check is performed locally, the actual password is *not* transmitted anywhere else. 436 437 Requires curl (preferred) or allow_url_fopen to work. 438 439 Example configuration: 440 441 $config['password_strength_driver'] = 'pwned'; 442 $config['password_minimum_score'] = 3; 443 444 See the driver implementation file for more documentation. 445 446 3. Driver API 447 ------------- 448 449 Driver file (<driver_name>.php) must define rcube_<driver_name>_password class. Drivers should 450 provide one or both of a public save() or check_strength() method. 451 452 All password changing drivers (used in config `password_driver` - the password driver) must have 453 a save() method. The same driver can also contain a check_strength() method or a separate driver 454 containing this method can be used in `password_strength_driver` (the strength driver). To enable 455 strength checks ensure `password_check_strength` is set to true. 456 457 The save() method, used for changing the password has three arguments: 458 First - current password, second - new password, third - current username. 459 This method should return PASSWORD_SUCCESS on success or any of PASSWORD_CONNECT_ERROR, 460 PASSWORD_CRYPT_ERROR, PASSWORD_ERROR when driver was unable to change password. 461 Extended result (as a hash-array with 'message' and 'code' items) can be returned 462 too. See existing drivers in drivers/ directory for examples. 463 464 Optionally a password driver can contain a compare() method which has three arguments: 465 First - current password, second - test password, third - compare type. 466 Compare type: PASSWORD_COMPARE_CURRENT - when comparing the test password with current password. 467 PASSWORD_COMPARE_NEW - when comparing the current password with the test password. 468 For PASSWORD_COMPARE_CURRENT it should return error text if user entered and real current password 469 DO NOT MATCH. For PASSWORD_COMPARE_NEW it should return error text if user entered and real current 470 password DO MATCH. Else it should return null (no error). 471 472 The check_strength() method, used for checking password strength has one argument: new password. 473 This method should return an array with tho elements: 474 - Score: integer from 1 (week) to 5 (strong) 475 - Reason for the score (optional) 476 477 Optionally a strength driver can contain a strength_rules() method. This has no arguments 478 and returns a string, or array of strings explaining the password strength rules. 479 480 481 4. Sudo setup 482 ------------- 483 484 Some drivers that execute system commands (like chpasswd) require use of sudo command. 485 Here's a sample for CentOS 7: 486 487 # cat <<END >/etc/sudoers.d/99-roundcubemail 488 apache ALL=NOPASSWD:/usr/sbin/chpasswd 489 Defaults:apache !requiretty 490 <<END 491 492 Note: on different systems the username (here 'apache') may be different, e.g. www. 493 Note: on some systems the disabling tty line may not be needed. 494