checkpassword patch

This is a patch against version 0.90 of D. J. Bernstein's checkpassword utility. Unlike the original program it does check the given password against /etc/passwd (that is, /etc/shadow, if the latter is available and configured), but against /etc/poppasswd. Users which would like to use the authenticated POP3-service still have to own a valid user account on the respective host to hold their Maildir-directory. However, they do not need a system password any more, in particular, they do not need an interactive shell account.

What is the advantage of removing the authentication from the system password file to an other user database, since, last but not least, both files would have to be maintained separately?

  • If not tunneled through IPsec, SSL, stunnel or similar facilities, the POP3-protocol transmits user passwords in plain text. This is not good. Although a system administrator could assign an invalid login shell (e. g. /bin/false) to that particular user the password being known to others still leaves an uneasy feeling behind.

  • Putting the password into /etc/poppassword automatically shares it with cmd5checkpw which is used to authenticate SMTP-transfers by PLAIN, LOGIN and CRAM-MD5 authentication. Thus, although another user database has to be maintained more than one SMTP/POP3-related authentication utilitiy refers to it.

  • The patched version of checkpassword also provides a facility to log the users' successful and unsuccessful authentification attempts via syslog (employing the facility LOG_AUTH). This option is turned on by default, but can be disabled easily before compiling checkpassword.c by removing the statement 
    #define USELOG 1

Is this patch something I can make use of?

It depends. Whether or not it is of any use for you probably depends on the following requisites and configuration:

  • you use Qmail
  • you use Qmail's POP3-server qmail-pop3d
  • you use checkpassword or a simimlar program to authenticate POP3-users
and probably

Please refer to the README files of the respective package for further information.

Last modified at 2001-12-07.