COURIERPASSWD(8) Authentication COURIERPASSWD(8)NAME
couirerpasswd - Authenticate users and change passwords using the
Courier authentication library
SYNOPSIScourierpasswd [-chvV] [-s SERVICE] [-C CRAMTYPE] [--stdin] [--stderr]
[prog...]
courierpasswd-s, --service SERVICE
courierpasswd-c, --changepwd
courierpasswd-C, --cramtype CRAMTYPE
courierpasswd-h, --help
courierpasswd-V, --version
Additional options (see below):
[-v, --verbose] [--stdin] [--stderr]
DESCRIPTIONcourierpasswd uses courier authentication modules to authenticate users
and to change their passwords. Using the --changepwd option will change
a user's password, otherwise the user will be authenticated. The pass‐
word changing functionality is not available for users authenticated
with CRAM.
courierpasswd uses the checkpassword protocol for obtaining authentica‐
tion tokens from either file descriptor 3 or from stdin (see below).
checkpassword style programs are usually run by network server programs
that wish to authenticate remote users.
The service to use with courierpasswd will depend on the specific
authentication modules installed. Often 'login' will be appropriate
but other possibilities include 'imap' and 'pop3'. This value defaults
to 'login'. See the Courier documentation for a further explanation of
this option.
When authenticating users with CRAM, courierpasswd's --cramtype option
can be used to specify the CRAM type. Valid choices for --cramtype are
'md5', 'sha1' and 'sha256'. If not specified, CRAM type defaults to
md5. Passwords cannot be changed when the --cramtype option is used
with courierpasswd. If both the --changepwd and --cramtype options are
present, the --cramtype option will be ignored.
LOGGINGcourierpasswd logs attempts to authenticate users and change passwords,
successful or not, to syslog or to stderr if the --stderr option is
used.
courierpasswd does certain checks on command line arguments so it is
important to put --stderr first in the argument list if it is to be
used in order for these checks to be logged properly.
DEBUGGING
You can turn on verbose output using the -v or --verbose option.
courierpasswd starts to log all of its actions and the results of those
actions to stderr.
There is a way to manually trace how the courierpasswd changes pass‐
words: use the --stdin and --stderr options. With these options couri‐
erpasswd reads authentication tokens from stdin, and logs actions to
stderr. You can trace the activity of courierpasswd when authenticat‐
ing a user with the following command:
$ echo -e "username\0oldpassword\0" \
| courierpasswd--stderr --stdin --verbose
or when using CRAM:
$ echo -e "username\0challenge\0response\0" \
| courierpasswd--stderr --stdin --verbose --cramtype sha1
or when changing a password with this command:
$ echo -e "username\0oldpassword\0newpassword\0" \
| courierpasswd--stderr --stdin --verbose --changepwd
These commands fail if either password begins with a number. In such a
case, the echo command can be replaced with either of the following
statements when authenticating a user. Which one is chosen will depend
on the scripting language available.
$ python -c 'print "%s\0%s\0" % \
("username","oldpassword")'
or
$ perl -e 'printf "%s\0%s\0","username","oldpassword"'
When changing a password, use one of these two commands:
$ python -c 'print "%s\0%s\0%s\0" % \
("username","oldpassword","newpassword")'
or
$ perl -e 'printf "%s\0%s\0%s\0","username", \
"oldpassword","newpassword"'
BUGS
If you've found a bug in courierpasswd, please report it to free‐
ware@arda.homeunix.net
SEE ALSO
http://cr.yp.to/checkpwd.html
http://www.courier-mta.org/authlib/
AUTHORcourierpasswd was written by Andrew St. Jean
checkpassword interface was designed by Daniel J. Bernstein.
Courier authentication library was written by Sam Varshavchik
GNU/Linux 20 Jan 2005 COURIERPASSWD(8)