Varga Robert writes:
> On Wed, 16 Jun 1999, Sam wrote:
>
> > Varga Robert writes:
> >
> > > The third is, as you can guess... is it possible to do APOP with shadow
> > > passwords? Is Qmail or some extensions able to do it together?
> >
> > No. This procedure is not possible. According to the current physical and
> > logical laws of this universe, APOP requires that passwords be stored as
> > completely unencrypted, because APOP requires that the cleartext password
> > be available for computing and validating the MD5 hash.
> >
>
> This probably means that the APOP database cannot be automatically
> refreshed when the user changes his/her password by passwd.
No, it doesn't mean that at all. It only means that it's not possible with
the standard passwd utility only. Nothing stops you from patching passwd
to save a copy of the unencrypted password in a protected file or a
directory, which then is read by the APOP checkpassword.
In fact, if you are fortunate enough to be using a PAM-enabled system, you
won't have to touch passwd's code at all. Just hack together a standalone
PAM module to swipe the password and tuck it away, someplace. Lessee...
$ cat /etc/pam.d/passwd
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so retry=3
password required /lib/security/pam_pwdb.so use_authtok nullok
Just append another password directive at the very end, pointing to your
module hack, and you're all set.
--
Sam
