Saturday, June 13, 2009

How I customize 'Change Password' plugin of SquirrelMail so that the plugin can change '/etc/passwd' & '/etc/shadow' of remote server.


The Scenario

In my organization we have following setup . Mail server has user accounts and runs SMTP and IMAP / POP service. Incomming mails are stored in mail server following normal mail route.

Users have the option of checking their mail from local network through installed mail clients like thunderbird / outlook etc. and checking them through webmail. http server runs webmail and access user inboxes IMAP and SMTP service from mail server.

The requirement was to enable user password change through squirrelmail interface.

I have faced problem when I installed 'Change Password' plugins in SquirrelMail system. The plugin can't change the password of mail user. This is because the working logic of 'Change Password' plugin is something different.

The working logic of 'Change Password' plugin

The 'Change password' plugin contains more than one php files and one executable ('chpasswd') file. The executable file is the core execution program of the plugin. This plugin can only work on '/etc/passwd' or '/etc/shadow' files of local server (http server) on which the SquirrelMail application is installed.

When ever an user issue the command to change the password through web form, the SquirrelMail executes 'chpasswd' command with proper parameters to achive the job.

The modified working logic of 'Change Password' plugin

I have changed the working logic of plugin to incorporate the remote password change feature.

The new working logic is, when ever some user will issue the command to change the password, the SquirrelMail server (http server) will pass the control of execution to the mail server to change the password of mail server rather than http server.




The implementation of modified working logic


To implement the logic, first of all I break up the whole job in three parts.

Part One

In the first part I have configured the mail server by coping 'chpasswd' executable program from the plugin directory of http server to the same directory of mail server. In my case it is in '/usr/share/squirrelmail/plugins/change_passwd'. At the time of copy I have followed all the guidance as guided by the README file of plugin. Please check the README file of the plugin for the configuration commands.

Part Two

In the second part I have modified the configuration php file of plugin itself. The actions I have followed in second phase are listed below.

1. Open the file config.php from the 'Change password' plugin directory.
2. Find out the line containing the string

$overridePathToChpasswd = '';

3. Replace the line with

$overridePathToChpasswd = 'ssh {user}@{ip_address} {full_path}/chpasswd';

[PLEASE NOTE: replace the {user} with your administrative user_id of your mail server, replace {ip_address} with your mail server's ip address and also replace the {full_path} with absolute path of 'chpasswd' program on mail server]

Part Three

This is the most important part in this customization phase. As we know ssh is secured terminal connection between server & client. ssh has two type of authentication method; one is password authentication and another is encryption key authentication. In case of password authentication ssh will ask the user for password interactively. Now, imagine how can one enter password non-interactively through php code. No way..! Wait...one way left,as I know. I have used encryption key based authentication (without pass phrase) procedure. The steps are as follows..

1. Find out which server in this case is acting as ssh client. In my case the http server is acting as ssh client and the mail server as ssh server.

2. Now find out which linux user is the owner of the http/apache server. You can find out this information from the configuration file 'httpd.conf' of apache in /etc/httpd/conf/ directory.

3. Switch to that user from root using the command.

su - apache

[NOTE 1: In my case the 'apache' user is the owner of http/apache server]
[NOTE 2: debian users can do this very easily. But the fedora/redhat users can't., Because in fedora/redhat 'nologin' shell has been defined as login shell in /etc/passwd file.

[IF YOU ARE A FEDORA/REDHAT USER; THEN FOLLOW NEXT STEP OTHER WISE SKIP TO THE STEP 5]

4. Open /etc/passwd file from root user. Go to the proper line where login information has been written for that specific user who is the owner of http/apache server. In my case it is 'apache'. Now replace the characters '/sbin/nologin' with '/bin/bash' or '/bin/sh' from that particular line only. Now you can switch to the user, owner of the http/apache server issuing the command.

su - apache

[NOTE: BE CARE FULL ABOUT TASK. ANY MISTAKE MIGHT CHANGE THE SYSTEM TO UNSTABLE ONE]

5. Now issue the command.

ssh-keygen -t dsa

[NOTE: System will ask for a pass phrase. Keep it blank and press enter for pass phrase field]

A file 'id_dsa.pub' will be created in the directory '/home/{user}/.ssh/'. In my case it is in '/home/apache/.ssh' directory.

6. Copy the dsa public key file to the user directory of administrator user of ssh server(in my case it is in mail server).

7. Issue the command

cat id_dsa.pub >> .ssh/authorized_keys

Now, please try to login from ssh client to ssh server. If all the processes have been done properly then it is highly possible to login from ssh client to ssh server.

Every thing have been done. Now, try to change the password from SquirrelMail web form.