Folks,

I'm using an OpenBSD system for providing mail service (SMTP/POP3) to
a company.

The "trouble" I'm finding is that when the personnel of the company
tries to set their passwords, most times they are asked for *better*
passwords (they seem to be using dictionary-based passwords).

None of these accounts is used for any other service than e-mail, so
I'd like to disable the OpenBSD's password checking feature so that
the personnel can set any password they want, even if that's not a
security-wise policy.

How can I do this?

--
Fernando Gont
e-mail: fernando@ANTISPAM.gont.com.ar

[To send a personal reply, please remove the ANTISPAM tag]

Fernando Gont wrote:

> Folks,
>
> I'm using an OpenBSD system for providing mail service (SMTP/POP3) to
> a company.
>
> The "trouble" I'm finding is that when the personnel of the company
> tries to set their passwords, most times they are asked for *better*
> passwords (they seem to be using dictionary-based passwords).
>
> None of these accounts is used for any other service than e-mail, so
> I'd like to disable the OpenBSD's password checking feature so that
> the personnel can set any password they want, even if that's not a
> security-wise policy.
>
>

Why not set it up as a virtual server, so the users only need to know a pop
imap password and don't have shell level access to the machine.

Safer and more flexible (well, possibly depending on what products you use).

On Tue, 19 Oct 2004 20:19:07 +0100, Keith Matthews
<invalid@frequentous.co.uk> wrote:

>Why not set it up as a virtual server, so the users only need to know a pop
>imap password and don't have shell level access to the machine.

Well, I have disabled logins for all those users. (I understand what
you mean, though).


>Safer and more flexible (well, possibly depending on what products you use).

I'm using qmail. qmail itself doesn't allow virtual users.
Maybe I could migrate to vpopmail, which is a frontend for qmail, and
allows virtual users. But was trying to avoid this (for now, at least)
since I'm working on several other tasks.

--
Fernando Gont
e-mail: fernando@ANTISPAM.gont.com.ar

[To send a personal reply, please remove the ANTISPAM tag]

Fernando Gont wrote:

> On Tue, 19 Oct 2004 20:19:07 +0100, Keith Matthews
> <invalid@frequentous.co.uk> wrote:
>
>>Why not set it up as a virtual server, so the users only need to know a
>>pop imap password and don't have shell level access to the machine.
>
> Well, I have disabled logins for all those users. (I understand what
> you mean, though).
>
>
>>Safer and more flexible (well, possibly depending on what products you
>>use).
>
> I'm using qmail. qmail itself doesn't allow virtual users.
> Maybe I could migrate to vpopmail, which is a frontend for qmail, and
> allows virtual users. But was trying to avoid this (for now, at least)
> since I'm working on several other tasks.
>

I wasn't aware that qmail did pop/imap at all !

Never tried vpopmail, have used (and am shipping to clients) courier-imap
which does work on maildir (and hence is compatible with qmail), does
support virtual users, and (despite the name) also offers POP3.

On Tue, 19 Oct 2004 20:19:07 +0100, Keith Matthews
<invalid@frequentous.co.uk> wrote:

>> None of these accounts is used for any other service than e-mail, so
>> I'd like to disable the OpenBSD's password checking feature so that
>> the personnel can set any password they want, even if that's not a
>> security-wise policy.
>
>Why not set it up as a virtual server, so the users only need to know a pop
>imap password and don't have shell level access to the machine.

BTW, I'm also planning to setup an OpenBSD server to provide SFTP
service so that users can store their files there. And I'll be facing
the same problem I'm facing now... so it would be great if I could
disable the password checking feature.

--
Fernando Gont
e-mail: fernando@ANTISPAM.gont.com.ar

[To send a personal reply, please remove the ANTISPAM tag]

"Fernando Gont" <fgont@softhome.net> schrieb im Newsbeitrag
news:aroan013dm6du64jo2ie376r53vqjgmkkv@4ax.com...
> Folks,

> None of these accounts is used for any other service than e-mail, so
> I'd like to disable the OpenBSD's password checking feature so that
> the personnel can set any password they want, even if that's not a
> security-wise policy.
>
> How can I do this?
Looking at my 3.5 box I can't see there's such a feature enabled by default.
Anyway you may want to look at login.conf whether it contains some line
"passwordcheck path" (man login.conf) then comment it out.
Just a guess,

Dorian

On Wed, 20 Oct 2004 15:40:26 +0200, Dorian Büttner wrote:
> Looking at my 3.5 box I can't see there's such a feature enabled by default.
> Anyway you may want to look at login.conf whether it contains some line
> "passwordcheck path" (man login.conf) then comment it out.
> Just a guess,

It does some checks, but, if you are persistent, it will let you pick a
bad password. For example:

$ passwd
Changing local password for almeida.
Old password: [entered old password]
New password: [entered 'testing']
Please don't use an all-lower case password.
Unusual capitalization, control characters or digits are suggested.
New password: [entered 'testing' again]
Please don't use an all-lower case password.
Unusual capitalization, control characters or digits are suggested.
New password: [entered 'testing' again]
Please don't use an all-lower case password.
Unusual capitalization, control characters or digits are suggested.
New password: [entered 'testing' again]
Retype new password: [entered 'testing' again, password changed]

Seems like it bugs you three times then gives up.

"Fernando Gont" <fgont@softhome.net> wrote in message
news:aroan013dm6du64jo2ie376r53vqjgmkkv@4ax.com...
> Folks,
>
> I'm using an OpenBSD system for providing mail service (SMTP/POP3) to
> a company.
>
> The "trouble" I'm finding is that when the personnel of the company
> tries to set their passwords, most times they are asked for *better*
> passwords (they seem to be using dictionary-based passwords).

Implent a `i'll break both of your legs when` section in your users policy.
And have a look in /usr/src/usr.bin/passwd/pwd_check.c


--
-{ ViPER www.dmrt.net
-{ Back off! You're standing in my aura

Shane Almeida wrote:

>> Looking at my 3.5 box I can't see there's such a feature enabled by default.
>> Anyway you may want to look at login.conf whether it contains some line
>> "passwordcheck path" (man login.conf) then comment it out.
>> Just a guess,
>
>
> It does some checks, but, if you are persistent, it will let you pick a
> bad password.

Well, but I make the users type their passwords themselves. SO, making
them type their password for six times is not an acceptable option.

--
Fernando Gont (fgont@frh.utn.edu.ar)
Laboratorio de Informatica
Universidad Tecnologica Nacional, Facultad Regional Haedo
Tel: +54 11 4659 2575 Int 130

Fernando Gont wrote:
> Folks,
>
> I'm using an OpenBSD system for providing mail service (SMTP/POP3) to
> a company.
>
> The "trouble" I'm finding is that when the personnel of the company
> tries to set their passwords, most times they are asked for *better*
> passwords (they seem to be using dictionary-based passwords).
>
> None of these accounts is used for any other service than e-mail, so
> I'd like to disable the OpenBSD's password checking feature so that
> the personnel can set any password they want, even if that's not a
> security-wise policy.
>
> How can I do this?
>
> --
> Fernando Gont
> e-mail: fernando@ANTISPAM.gont.com.ar
>
> [To send a personal reply, please remove the ANTISPAM tag]

[man login.conf]

passwordtries (3):

The number of times the
passwd(1) utility enforces a
check on the password. If 0,
the new password will only be
accepted if it passes the pass-
word quality check.
--> try a value below 0 (not tested)

passwordcheck (path):

An external program that checks
the quality of the password.
The password is passed to the
program on stdin. An exit code
of 0 indicates that the quality
of the password is sufficient,
an exit code of 1 signals that
the password failed the check.
--> try to set this to an empty string (not tested ...)


These were the first things i kept in mind the other
way is to look at the C-file mentioned before
(/usr/src/usr.bin/passwd/pwd_check.c).

Regards


--
David Mayer

GnuPG public key: http://members.aon.at/curbaxx/pubkey.asc
Fingerprint: : FCC8 7225 6DE7 AO54 161B DB77 E25B FC38 1CEF A35B

(c u r b) (AT) (a o n) (DOT) (a t)