diff options
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/password/README | 8 | ||||
| -rw-r--r-- | plugins/password/config.inc.php.dist | 14 | ||||
| -rw-r--r-- | plugins/password/drivers/expect.php | 58 | ||||
| -rw-r--r-- | plugins/password/helpers/passwd-expect | 267 | ||||
| -rw-r--r-- | plugins/password/package.xml | 3 |
5 files changed, 350 insertions, 0 deletions
diff --git a/plugins/password/README b/plugins/password/README index eadf10742..4ae0521d1 100644 --- a/plugins/password/README +++ b/plugins/password/README @@ -42,6 +42,7 @@ 2.14. Pw (pw_usermod) 2.15. domainFACTORY (domainfactory) 2.16. DBMail (dbmail) + 2.17. Expect (expect) 3. Driver API @@ -282,6 +283,13 @@ Note: DBMail users can also use sql driver. + 2.17. Expect (expect) + ----------------------------------- + + Driver to change user password via the 'expect' command. + See config.inc.php.dist file for configuration description. + + 3. Driver API ------------- diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist index 08a9f6061..d39610680 100644 --- a/plugins/password/config.inc.php.dist +++ b/plugins/password/config.inc.php.dist @@ -323,3 +323,17 @@ $rcmail_config['password_pw_usermod_cmd'] = 'sudo /usr/sbin/pw usermod -h 0 -n'; // ------------------- // Additional arguments for the dbmail-users call $rcmail_config['password_dbmail_args'] = '-p sha512'; + + +// Expect Driver options +// --------------------- +// Location of expect binary +$rcmail_config['password_expect_bin'] = '/usr/bin/expect'; + +// Location of expect script (see helpers/passwd-expect) +$rcmail_config['password_expect_script'] = ''; + +// Arguments for the expect script. See the helpers/passwd-expect file for details. +// This is probably a good starting default: +// -telent -host localhost -output /tmp/passwd.log -log /tmp/passwd.log +$rcmail_config['password_expect_params'] = ''; diff --git a/plugins/password/drivers/expect.php b/plugins/password/drivers/expect.php new file mode 100644 index 000000000..7a191e254 --- /dev/null +++ b/plugins/password/drivers/expect.php @@ -0,0 +1,58 @@ +<?php + +/** + * expect Driver + * + * Driver that adds functionality to change the systems user password via + * the 'expect' command. + * + * For installation instructions please read the README file. + * + * @version 2.0 + * @author Andy Theuninck <gohanman@gmail.com) + * + * Based on chpasswd roundcubemail password driver by + * @author Alex Cartwright <acartwright@mutinydesign.co.uk) + * and expect horde passwd driver by + * @author Gaudenz Steinlin <gaudenz@soziologie.ch> + * + * Configuration settings: + * password_expect_bin => location of expect (e.g. /usr/bin/expect) + * password_expect_script => path to "password-expect" file + * password_expect_params => arguments for the expect script + * see the password-expect file for details. This is probably + * a good starting default: + * -telent -host localhost -output /tmp/passwd.log -log /tmp/passwd.log + */ + +class rcube_expect_password +{ + public function save($currpass, $newpass) + { + $rcmail = rcmail::get_instance(); + $bin = $rcmail->config->get('password_expect_bin'); + $script = $rcmail->config->get('password_expect_script'); + $params = $rcmail->config->get('password_expect_params'); + $username = $_SESSION['username']; + + $cmd = $bin . ' -f ' . $script . ' -- ' . $params; + $handle = popen($cmd, "w"); + fwrite($handle, "$username\n"); + fwrite($handle, "$currpass\n"); + fwrite($handle, "$newpass\n"); + + if (pclose($handle) == 0) { + return PASSWORD_SUCCESS; + } + else { + raise_error(array( + 'code' => 600, + 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Password plugin: Unable to execute $cmd" + ), true, false); + } + + return PASSWORD_ERROR; + } +} diff --git a/plugins/password/helpers/passwd-expect b/plugins/password/helpers/passwd-expect new file mode 100644 index 000000000..7db21ad1f --- /dev/null +++ b/plugins/password/helpers/passwd-expect @@ -0,0 +1,267 @@ +# +# This scripts changes a password on the local system or a remote host. +# Connections to the remote (this can also be localhost) are made by ssh, rsh, +# telnet or rlogin. + +# @author Gaudenz Steinlin <gaudenz@soziologie.ch> + +# For sudo support alter sudoers (using visudo) so that it contains the +# following information (replace 'apache' if your webserver runs under another +# user): +# ----- +# # Needed for Horde's passwd module +# Runas_Alias REGULARUSERS = ALL, !root +# apache ALL=(REGULARUSERS) NOPASSWD:/usr/bin/passwd +# ----- + +# @stdin The username, oldpassword, newpassword (in this order) +# will be taken from stdin +# @param -prompt regexp for the shell prompt +# @param -password regexp password prompt +# @param -oldpassword regexp for the old password +# @param -newpassword regexp for the new password +# @param -verify regexp for verifying the password +# @param -success regexp for success changing the password +# @param -login regexp for the telnet prompt for the loginname +# @param -host hostname to be connected +# @param -timeout timeout for each step +# @param -log file for writing error messages +# @param -output file for loging the output +# @param -telnet use telnet +# @param -ssh use ssh (default) +# @param -rlogin use rlogin +# @param -slogin use slogin +# @param -sudo use sudo +# @param -program command for changing passwords +# +# @return 0 on success, 1 on failure +# + + +# default values +set host "localhost" +set login "ssh" +set program "passwd" +set prompt_string "(%|\\\$|>)" +set fingerprint_string "The authenticity of host.* can't be established.*\nRSA key fingerprint is.*\nAre you sure you want to continue connecting.*" +set password_string "(P|p)assword.*" +set oldpassword_string "((O|o)ld|login|\\\(current\\\) UNIX) (P|p)assword.*" +set newpassword_string "(N|n)ew.* (P|p)assword.*" +set badoldpassword_string "(Authentication token manipulation error).*" +set badpassword_string "((passwd|BAD PASSWORD).*|(passwd|Bad:).*\r)" +set verify_string "((R|r)e-*enter.*(P|p)assword|Retype new( UNIX)? password|(V|v)erification|(V|v)erify|(A|a)gain).*" +set success_string "((P|p)assword.* changed|successfully)" +set login_string "(((L|l)ogin|(U|u)sername).*)" +set timeout 20 +set log "/tmp/passwd.out" +set output false +set output_file "/tmp/passwd.log" + +# read input from stdin +fconfigure stdin -blocking 1 + +gets stdin user +gets stdin password(old) +gets stdin password(new) + +# alternative: read input from command line +#if {$argc < 3} { +# send_user "Too few arguments: Usage $argv0 username oldpass newpass" +# exit 1 +#} +#set user [lindex $argv 0] +#set password(old) [lindex $argv 1] +#set password(new) [lindex $argv 2] + +# no output to the user +log_user 0 + +# read in other options +for {set i 0} {$i<$argc} {incr i} { + set arg [lindex $argv $i] + switch -- $arg "-prompt" { + incr i + set prompt_string [lindex $argv $i] + continue + } "-password" { + incr i + set password_string [lindex $argv $i] + continue + } "-oldpassword" { + incr i + set oldpassword_string [lindex $argv $i] + continue + } "-newpassword" { + incr i + set newpassword_string [lindex $argv $i] + continue + } "-verify" { + incr i + set verify_string [lindex $argv $i] + continue + } "-success" { + incr i + set success_string [lindex $argv $i] + continue + } "-login" { + incr i + set login_string [lindex $argv $i] + continue + } "-host" { + incr i + set host [lindex $argv $i] + continue + } "-timeout" { + incr i + set timeout [lindex $argv $i] + continue + } "-log" { + incr i + set log [lindex $argv $i] + continue + } "-output" { + incr i + set output_file [lindex $argv $i] + set output true + continue + } "-telnet" { + set login "telnet" + continue + } "-ssh" { + set login "ssh" + continue + } "-ssh-exec" { + set login "ssh-exec" + continue + } "-rlogin" { + set login "rlogin" + continue + } "-slogin" { + set login "slogin" + continue + } "-sudo" { + set login "sudo" + continue + } "-program" { + incr i + set program [lindex $argv $i] + continue + } +} + +# log session +if {$output} { + log_file $output_file +} + +set err [open $log "w" "0600"] + +# start remote session +if {[string match $login "rlogin"]} { + set pid [spawn rlogin $host -l $user] +} elseif {[string match $login "slogin"]} { + set pid [spawn slogin $host -l $user] +} elseif {[string match $login "ssh"]} { + set pid [spawn ssh $host -l $user] +} elseif {[string match $login "ssh-exec"]} { + set pid [spawn ssh $host -l $user $program] +} elseif {[string match $login "sudo"]} { + set pid [spawn sudo -u $user $program] +} elseif {[string match $login "telnet"]} { + set pid [spawn telnet $host] + expect -re $login_string { + sleep .5 + send "$user\r" + } +} else { + puts $err "Invalid login mode. Valid modes: rlogin, slogin, ssh, telnet, sudo\n" + close $err + exit 1 +} + +set old_password_notentered true + +if {![string match $login "sudo"]} { + # log in + expect { + -re $fingerprint_string {sleep .5 + send yes\r + exp_continue} + -re $password_string {sleep .5 + send $password(old)\r} + timeout {puts $err "Could not login to system (no password prompt)\n" + close $err + exit 1} + } + + # start password changing program + expect { + -re $prompt_string {sleep .5 + send $program\r} + # The following is for when passwd is the login shell or ssh-exec is used + -re $oldpassword_string {sleep .5 + send $password(old)\r + set old_password_notentered false} + timeout {puts $err "Could not login to system (bad old password?)\n" + close $err + exit 1} + } +} + +# send old password +if {$old_password_notentered} { + expect { + -re $oldpassword_string {sleep .5 + send $password(old)\r} + timeout {puts $err "Could not start passwd program (no old password prompt)\n" + close $err + exit 1} + } +} + +# send new password +expect { + -re $newpassword_string {sleep .5 + send $password(new)\r} + -re $badoldpassword_string {puts $err "Old password is incorrect\n" + close $err + exit 1} + timeout {puts "Could not change password (bad old password?)\n" + close $err + exit 1} +} + +# send new password again +expect { + -re $badpassword_string {puts $err "$expect_out(0,string)" + close $err + send \003 + sleep .5 + exit 1} + -re $verify_string {sleep .5 + send $password(new)\r} + timeout {puts $err "New password not valid (too short, bad password, too similar, ...)\n" + close $err + send \003 + sleep .5 + exit 1} +} + +# check response +expect { + -re $success_string {sleep .5 + send exit\r} + -re $badpassword_string {puts $err "$expect_out(0,string)" + close $err + exit 1} + timeout {puts $err "Could not change password.\n" + close $err + exit 1} +} + +# exit succsessfully +expect { + eof {close $err + exit 0} +} +close $err diff --git a/plugins/password/package.xml b/plugins/password/package.xml index 4b8652168..20517eed8 100644 --- a/plugins/password/package.xml +++ b/plugins/password/package.xml @@ -31,6 +31,7 @@ - Added domainfactory driver (#1487882) - Added DBMail driver (#1488281) - Helper files moved to helpers/ directory from drivers/ +- Added Expect driver (#1488363) </notes> <contents> <dir baseinstalldir="/" name="/"> @@ -81,6 +82,7 @@ <file name="drivers/dbmail.php" role="php"></file> <file name="drivers/directadmin.php" role="php"></file> <file name="drivers/domainfactory.php" role="php"></file> + <file name="drivers/expect.php" role="php"></file> <file name="drivers/ldap.php" role="php"></file> <file name="drivers/ldap_simple.php" role="php"></file> <file name="drivers/poppassd.php" role="php"></file> @@ -99,6 +101,7 @@ <file name="helpers/chgsaslpasswd.c" role="data"></file> <file name="helpers/chgvirtualminpasswd.c" role="data"></file> <file name="helpers/chpass-wrapper.py" role="data"></file> + <file name="helpers/passwd-expect" role="data"></file> <file name="config.inc.php.disc" role="data"></file> </dir> |