On Thu, Apr 13, 2000 at 02:05:27PM -0500, John Coy wrote:
> I've honestly spent quite a bit of time searching
> the web and the mailing list archive for hints
> on getting APOP to work with the qmail_popup+qmail_pop3d+
> checkpassword programs. I've seen references for
> a "checkpw" program which replaces checkpassword, but
> all the links for it are broken. Does anyone know of
> a place to download this program?
>
> Other than that, I've seen entries in the README files about
> APOP hooks, and I've even looked at the qmail_popup.c source
> to see if it's implemented. The hook is there... but
> something in my implementation isn't working.
>
> I was wondering if anyone had any hints on getting
> APOP to work? I'd like to use both POP logins
> and APOP logins, if possible.
Shinya Ohira wrote a checkpw which allows both POP and APOP authentication.
The link on www.qmail.org gives 404.
You can however find a copy here: http://x42.com/qmail/contrib/
and a patch to this package that should be applied:
It fixes a little security lapsus leaving the real password in clear text in
server memory if the authentification fails.
Here it is: http://x42.com/qmail/patches/checkapoppw.diff
cheers,
magnus
--
"Security is not about addons. It is about trusting the base of the system,
all the way down to 8 line functions in libc or the kernel."
-- Theo de Raadt
