[Dovecot] Changing password for users

Joseph Tam jtam.home at gmail.com
Tue Oct 30 04:09:12 EET 2012


Ben Morrow wrote:

>> Maybe replace "/usr/bin/passwd" with htpasswd?
>
> Try pam_pwdfile with poppwd or some other poppassd that supports PAM.

That's it!  I was trying to remember the name of this PAM module.

>>> and is there another way other than poppassd?
>>
>> Write your own PHP script -- it couldn't be more than a few dozen lines
>> of code for a working skeleton.  Or Google "php change password htpasswd".
>
> It's not as simple as you seem to think. Quite apart from getting the
> password-changing itself right (have you considered what happens when
> two users change their passwords at the same time? when Dovecot tries to
> read the password file at the same time as you are changing it? when the
> system crashes when you are halfway through rewriting the password
> file?), you really shouldn't be running PHP as a user with write access
> to a password file (even a virtual password file) in any case.

I did consider it, and you're right, it is tricky to get it absolutely
right.  If robusteness and security was of utmost importance, I would
abandon PHP too.  I was scaling the solution to the OP's technical
ability and apparent size of their operation -- if poppwd passes muster,
this wouldn't be too far off.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list