Webpwd 0.3, ... For Freesco 0.3.x

Support section for FREESCO v0.3.x 3rd Party Packages

Postby Zedde » Sat Jan 26, 2008 4:27 pm

I can't get it to work

I only get this



AUTHENTICATION ERROR


www.freesco.org

WebMail  |  Main Site  |  Man Page


Password change has failed, for one or a combination
of the following reasons:

    * Wrong USER ID
    * Incorrect OLD PASSWORD
    * Both NEW PASSWORD fields must match

Return


I haven't changed anything to the conf
"From now until the end of the world,
we and it shall be remembered.
We few, we Band of Brothers.
For he who sheds his blood with me shall be my brother."
User avatar
Zedde
Junior Advanced Member
 
Posts: 161
Joined: Mon May 20, 2002 3:38 pm
Location: Sweden

Postby dRB » Sat Jan 26, 2008 8:19 pm

Hi Zedde

If you have done NO config changes, then you are confirming the following config to be correct:
Code: Select all
$standalone = FALSE; #courier is being used
$htpwf1 = "/boot/web_passwd/.htpasswd"; #password file for web mail entrance page
$htaccf = "/boot/webmail/.htaccess"; #location of web mail entrance page
$htpwf2 = "/usr/local/webpwd/www/.htpasswd"; #default webpwd entrance page


System [passwd] file is being accessed, default location is [/etc/passwd]

the file performing the operations is:
[/usr/local/webpwd/www/cgi/pw2htpw.cgi]

if this file is not chmod 755, then change it
otherwise try chmod 777 and post results

/dRB

edit:
the following is important info as well, and I think at least in part is a limit restriction in FREESCO ... if you or anyone can give me feedback/suggestions on the logic that would be appreciated.

usernames = 6-8 char restriction
passwords = 6-8 char restriction

the error message you refer to, will show up under the following conditions:
1. username is less than 6 chars in length
2. incorrect username
3. oldpassword is less than 6 chars in length
4. incorrect oldpassword
5. newpassword is less than 6 chars in length
6. newpassword fields do not match
7. /etc/passwd file failed to open
8. user/oldpasswd pair does not exist

I think having passwords less than 6 chars in length is NOT a good thing.

It may be argued that having shorter user names is acceptable ... perhaps a minimum of 3 chars to a max of 8 chars!?! Feedback?

=========
Please bear with me ... I seemed to have lost my marbles.
User avatar
dRB
Junior Advanced Member
 
Posts: 196
Joined: Tue Apr 30, 2002 2:08 am
Location: Dryden, Ontario. CANADA

Postby dRB » Sat Jan 26, 2008 11:14 pm

going to make some additional changes, and noticed some fixes required ... I'll post a release update shortly, but to give you a heads up on changes:

1. add a DEBUG mode, for greater informative error messaging
2. fix small bug in user/pw shadowing, which in current state is NOT a security risk
3. fix min/max issue for user name .. default min of 2 chars, no max

/dRB
Please bear with me ... I seemed to have lost my marbles.
User avatar
dRB
Junior Advanced Member
 
Posts: 196
Joined: Tue Apr 30, 2002 2:08 am
Location: Dryden, Ontario. CANADA

Postby Thasaidon » Sun Jan 27, 2008 3:10 am

As far as I know, the username is NOT restricted to 8 chars.
The password however is.

My username on Freesco has 8+ chars
If I only type the 1st 8 of them and then the corresponding password, I am not allowed to log in.

My password is also 8+ chars
Here, Freesco only looks at the 1st 8 chars and disregards the rest.

So if I log in with my full 8+ username, I only need the 1st 8 chars of my password.
I testes this both via SSH login and local login.

As a sidenote,
the passwd file also show all 8+ usernames in full, so there is no "capping" to 8 chars.
Experience shared, is experience gained.

Thasaidon's Freesco Page




Image
User avatar
Thasaidon
Advanced Member
 
Posts: 411
Joined: Tue Feb 05, 2002 9:38 am
Location: The Netherlands

Postby dRB » Sun Jan 27, 2008 5:24 am

:) thanks for the feedback folks.

Webpwd has been updated to 0.3.1 ... see release section for comments.

/dRB
Please bear with me ... I seemed to have lost my marbles.
User avatar
dRB
Junior Advanced Member
 
Posts: 196
Joined: Tue Apr 30, 2002 2:08 am
Location: Dryden, Ontario. CANADA

Postby Zedde » Sun Jan 27, 2008 7:30 am

OLD PASSWORD invalid

Line 125


I made a "test" user with a 1-8 password and then tried to change the password and I get that msg.
"From now until the end of the world,
we and it shall be remembered.
We few, we Band of Brothers.
For he who sheds his blood with me shall be my brother."
User avatar
Zedde
Junior Advanced Member
 
Posts: 161
Joined: Mon May 20, 2002 3:38 pm
Location: Sweden

Postby dingetje » Sun Jan 27, 2008 8:14 am

@drB:

The post install code of the script forgets to call rc_masq restart, so after a fresh install the firewall rule in rc_webpwd is not initiated and thus port 83 is wide open to the internet. Not a big security risk, but still... you may want to change that.

You also may want to consider to add the new config files to the rc_webpwd setup command, rather than having people to look for them on disk.

All in all, congrats on your first? package!
GreetZ
http://dingetje.hopto.org

"Software is like sex: it's better when it's free." - LINUS TORVALDS
User avatar
dingetje
FREESCO GURU !!
 
Posts: 1010
Joined: Wed Nov 14, 2001 12:13 pm
Location: The Netherlands

Postby dingetje » Sun Jan 27, 2008 8:23 am

Found some other problems:

My current password is 9 char. long and the form does not allow to enter that. When I continue anyway the error message is 'OLD PASSWORD INVALID' which is correct. However the link to the 'man' page on the error page points to '/cgi/man/webpwd.1.html' which is not correct (it should loose the cgi part). Similar for the other 2 links (Web Mail and Main Site).

When I do enter my 9 char. password (the form will ignore the last char.) and provide a new password with <= 8 char. I get this error:

AUTHENTICATION ERROR

NEW PASSWORD too long (8 chars maximum)
Line 92


But I'm pretty sure only the old password is too long and the new is <= 8 chars, so the error message is not correct.
GreetZ
http://dingetje.hopto.org

"Software is like sex: it's better when it's free." - LINUS TORVALDS
User avatar
dingetje
FREESCO GURU !!
 
Posts: 1010
Joined: Wed Nov 14, 2001 12:13 pm
Location: The Netherlands

Postby dRB » Sun Jan 27, 2008 5:01 pm

:) thanks guys.

limit changes...
user name limits: 1 char minimum, no max
password limits: 3 char minimum, 8 char max

I think 3 char min limit for passwords needs to be increased, but not lowered. Opinions welcome.

The post install code of the script forgets to call rc_masq restart, so after a fresh install the firewall rule in rc_webpwd is not initiated and thus port 83 is wide open to the internet

*FIXED

You also may want to consider to add the new config files to the rc_webpwd setup command, rather than having people to look for them on disk.

*DONE, as with the URLs as well ... which can be edited as follows, and which is invoked after install:
Code: Select all
rc_webpwd cfgedit
rc_webpwd urledit


however the link to the 'man' page on the error page points to '/cgi/man/webpwd.1.html' which is not correct

*FIXED

When I do enter my 9 char. password (the form will ignore the last char.) and provide a new password with <= 8 char. I get this error:

The form field maxlength for the passwords is set to 8, so you shouldn't be able to enter more than 8 char passwords. With that in mind, I wonder if this is a "tainted" character issue. Which taint checks have now been added to the script.

Release updated, but install remains the same:
<a href='http://www.rbtd.com/packages/webpwd-0.3-drb' target='_blank'>http://www.rbtd.com/packages/webpwd-0.3-drb</a>

Thanks guys.

/dRB
Please bear with me ... I seemed to have lost my marbles.
User avatar
dRB
Junior Advanced Member
 
Posts: 196
Joined: Tue Apr 30, 2002 2:08 am
Location: Dryden, Ontario. CANADA

Postby dRB » Tue Jan 29, 2008 1:35 am

Dingetje, Zedde

I've fixed the problem with user authentication process. Problem was use of an incorrect salt for the encryption. A real perspiration moment trying to figure out what the true salt was supposed to be. (what are the chances of an incorrect salt landing the same password as listed in the passwd file!!!) :huh:

Release has been updated to 0.3.3 (0.3 has been removed from packages)
Code: Select all
pkg -i http://www.rbtd.com/packages/webpwd-0.3.3-drb


If you guys could work the gears one more time to confirm, that would greatly be appreciated. Thanks.

/dRB
Please bear with me ... I seemed to have lost my marbles.
User avatar
dRB
Junior Advanced Member
 
Posts: 196
Joined: Tue Apr 30, 2002 2:08 am
Location: Dryden, Ontario. CANADA

Postby dingetje » Tue Jan 29, 2008 1:59 am

There's a ^M in the default config file at standalone line.

When I tried new password with test user with an exclamation sign at the end (I like passwords with non-ascii chars) I got 'NEW PASSWORD tainted with illegal characters'

pe.rl is not my forté, so I hope you can fix the latter.
GreetZ
http://dingetje.hopto.org

"Software is like sex: it's better when it's free." - LINUS TORVALDS
User avatar
dingetje
FREESCO GURU !!
 
Posts: 1010
Joined: Wed Nov 14, 2001 12:13 pm
Location: The Netherlands

Postby dRB » Tue Jan 29, 2008 11:05 am

When I tried new password with test user with an exclamation sign at the end (I like passwords with non-ascii chars) I got 'NEW PASSWORD tainted with illegal characters'


^_^ that would be my bad.

Seems like the [passwd] binary accepts all kinds of character input for user names/passwords. I guess the question here is what is the complete list of legal chars. Or maybe the list of illegal chars is easier to validate against ... probably by using a [sed] call (which is some seriously snaky scripting) ... researching-----

/dRB

[edit]
ok, problem is solved. Thanks to Lightning's genius chunk of code in the adm.cgi script used with FREESCO control panel (hehehe) I was able to implement a slant on the same, and therefore the [passwd] binary now takes care of business (which is what I wanted to do initially when scripting this application)

so, I'll make other changes in the script to reflect this particular code insert, clean up, and post in the release section when the updated package is ready. B)
Please bear with me ... I seemed to have lost my marbles.
User avatar
dRB
Junior Advanced Member
 
Posts: 196
Joined: Tue Apr 30, 2002 2:08 am
Location: Dryden, Ontario. CANADA

Postby dRB » Thu Jan 31, 2008 10:00 pm

:) the non-ascii password restrictions have been removed, along with other changes. I posted an update in the release section.

I ended up NOT using the [passwd] binary ... just wasn't able to get the results I wanted. The rewrite of Webpwd has resulted in a mix of perl, sh, and regex code. The code has been cleaned for readability.

The following bears no reflection on the current state of Webpwd 0.3.4 ...
Perhaps someone can enlighten me on why for several runs using the passwd binary (as called from within the cgi script) password changes were being processed. And then after several runs, changes were NOT being processed, even though return values indicated successful completion.

(I used Lightning's passwd change code as defined in the control panel adm.cgi file)

/dRB
Please bear with me ... I seemed to have lost my marbles.
User avatar
dRB
Junior Advanced Member
 
Posts: 196
Joined: Tue Apr 30, 2002 2:08 am
Location: Dryden, Ontario. CANADA


Return to 3rd Party Package Support for FREESCO v0.3.x

Who is online

Users browsing this forum: No registered users and 6 guests

cron