VMS POPPASSWD V2.3 Copyright 1995 Opus One and ACES Research This version of POPPASSWD is provided under license and may not be freely distributed. V2.1 of POPPASSWD is in the public domain. These notes do NOT apply to V2.1 of POPPASSWD. These notes contain: 1. Build instructions 2. Install instructions 3. Customization instructions 1. Building the program ===================== a. $ @kit_location:build 2. Installing the program ======================= a. We recommend you place the image in the MultiNet directory and make it user accessible: $ @kit_location:copy_exe b. Configure MultiNet's master server to start it: $ @kit_location:add_service c. Add ONE of the following lines to your SYSTARTUP procedure and execute it: $ define/system poppasswd_log_file "location of log file here" or $ define/system poppasswd_dont_log "TRUE" d. Optionally, copy CHKEXP.COM and CHKEXP.EXE somewhere, and add a line to the systemwide login.com that says: $ @location:CHKEXP 3. Customization Options ====================== a. General information: POP Passwd's behavior can be changed using a variety of system-wide logical names. Even if you do nothing else, you MUST either define the POPPASSWD_LOG_FILE logical name (or define POPPASSWD_DONT_LOG so that POPPASSWD won't write log files). The CHKEXP program runs from SYLOGIN and only acts for POP logins. If the user's password is going to expire within 4 or less days, it sends mail reminding the user to change the password. b. The logical names: POPPASSWD_LOG_FILE Pop Password logging file POPPASSWD_DONT_LOG Flag to prevent logging POPPASSWD_DEBUG Useful for debugging only POPPASSWD_ANAL_MODE Prevents users getting real reason for failure POPPASSWD_IGNORE_LENGTH Ignore the UAF length field if set POPPASSWD_IGNORE_CAPTIVE Ignore the CAPTIVE flag in the UAF if set POPPASSWD_IGNORE_DISUSER Ignore the DISUSER flag in the UAF if set POPPASSWD_IGNORE_GENPWD Ignore the GENPWD flag in the UAF if set POPPASSWD_IGNORE_LOCKPWD Ignore the LOCKPWD flag in the UAF if set POPPASSWD_IGNORE_RESTRICTED Let RESTRICTED users change password if set POPPASSWD_IGNORE_POLICY Ignore loaded password policy if set 4. Customization Notes ======================== POPPASSWD_LOG_FILE This should be defined to point to the location where POPPASSWD will log everything that happens. Normally, it is suggested that this points to wherever you keep your other TCP/IP logs. Example: multinet_common_root:[multinet]poppasswd.log POPPASSWD_DONT_LOG Normally, POPPASSWD logs everything, both errors and successes, to a log file. This is usually a pretty good idea. However, if you do not want POPPASSWD to leave any traces of what it has done (including attempted breakins!), then define this logical name and it will do no logging. POPPASSWD_DEBUG You normally would have no reason to define this. However, if you do, then POPPASSWD will babble all sorts of interesting debugging information. Defining this logical does NOT introduce any security problems; all it does is increase the amount of logging to the screen which POPPASSWD will do. If you define this logical name, then it is likely that Eudora will not be able to talk to POPPASSWD. POPPASSWD_ANAL_MODE Normally, POPPASSWD is pretty chatty with users about why it was unable to change their password. It will tell them if a particular username is valid, if they have given an incorrect password, or if there is a syntax error. Some sites may not like the idea of this much information being given out. If you define POPPASSWD_ANAL_MODE, then POPPASSWD is very tight-lipped about the error messages which it gives to the client. This does not affect the log files, though. POPPASSWD_IGNORE_LENGTH Normally, POPPASSWD pays attention to the minimum length of password field in each user's UAF entry. If, for some very strange reason, you do NOT want POPPASSWD to do this, then define this logical name. This is strongly discouraged! POPPASSWD_IGNORE_CAPTIVE Normally, POPPASSWD will not allow users who have the CAPTIVE flag in their UAF entry to change their password. If you would like to allow these users to change their passwords, then define this logical name. POPPASSWD_IGNORE_DISUSER Normally, POPPASSWD will not allow users who have the DISUSER flag in their UAF entry to change their password. If you would like to allow these users to change their passwords, then define this logical name. This is strongly discouraged! POPPASSWD_IGNORE_GENPWD Normally, POPPASSWD will not allow users who have the GENPWD flag in their UAF entry to change their password. If you would like to allow these users to change their passwords, then define this logical name. This is strongly discouraged! POPPASSWD_IGNORE_LOCKPWD Normally, POPPASSWD will not allow users who have the LOCKPWD flag in their UAF entry to change their password. If you would like to allow these users to change their passwords, then define this logical name. This is strongly discouraged! POPPASSWD_IGNORE_RESTRICTED Normally, POPPASSWD will not allow users who have the RESTRICTED flag in their UAF entry to change their password. If you would like to allow these users to change their passwords, then define this logical name. POPPASSWD_IGNORE_POLICY Normally, POPPASSWD will not allow users who violate the loadable password policy to change their password. If you would like to allow users to change their passwords even though they violate your policy, then define this logical name. Internals of the protocol ========================= Steve Dorner's description of the simple protocol: The server's responses should be like an FTP server's responses; 1xx for in progress, 2xx for success, 3xx for more information needed, 4xx for temporary failure, and 5xx for permanent failure. Putting it all together, here's a sample conversation: S: 200 hello\r\n E: user yourloginname\r\n S: 300 please send your password now\r\n E: pass yourcurrentpassword\r\n S: 200 My, that was tasty\r\n E: newpass yournewpassword\r\n S: 200 Happy to oblige\r\n E: quit\r\n S: 200 Bye-bye\r\n S: E: