Re: ideas needed for password management
On 24 Sep 10:55, Uwe Werler wrote: > On 23 Sep 20:52, Hakan E. Duran wrote: > > Dear all, > > > > I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP and > > Dovecot. The users will be the Unix users on the VPS for simplicity. > > However, I now have the problem of allowing users setting and modifying > > their own passwords (perhaps even their usernames) without giving them ssh > > access to the host. I don't have technical background and training for this > > type of work; however, I love doing this, please be gentle with me. The > > mail server is a hobby that is intended for family and a few friends, and > > is not mission critical. > > > > I thought something like Webmin could work for this purpose, but without > > root access of course. However, I am not sure if such a tool exists. Any > > other ideas are welcome. > > > > Thank you so much in advance for your suggestions. > > > > Hakan > > > > Hi Hakan, > > I had a similiar problem which I solved with Rainloop (as an app in Nextcloud) > with the POPPASSD plugin and the local poppassd daemon (pkg_add openpoppassd). > > -- > wq: ~uw > But as Stuart suggested - I would rather use a db backend for that. I plan myself to finally use ldapd for that. Most applications allow e.g. password changes against ldap. In my setup I complicated things more than making it easier. For example I separated my system user from my "virtual" user for mail etc. That could have been done in the end simpler with ldap. -- wq: ~uw
Re: ideas needed for password management
On 23 Sep 20:52, Hakan E. Duran wrote: > Dear all, > > I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP and > Dovecot. The users will be the Unix users on the VPS for simplicity. However, > I now have the problem of allowing users setting and modifying their own > passwords (perhaps even their usernames) without giving them ssh access to > the host. I don't have technical background and training for this type of > work; however, I love doing this, please be gentle with me. The mail server > is a hobby that is intended for family and a few friends, and is not mission > critical. > > I thought something like Webmin could work for this purpose, but without root > access of course. However, I am not sure if such a tool exists. Any other > ideas are welcome. > > Thank you so much in advance for your suggestions. > > Hakan > Hi Hakan, I had a similiar problem which I solved with Rainloop (as an app in Nextcloud) with the POPPASSD plugin and the local poppassd daemon (pkg_add openpoppassd). -- wq: ~uw
Re: ideas needed for password management
Hi You need a smtpd server which is native to BSD and supports auth backends Have a look here https://www.fehcom.de/sqmail/sqmail.html I use it with dovecot with mysql auth backend, sqlmail basically calls a dovadmin socket to authenticate, so no need for mysql as long as you can login to dovecot pop3 or imap T -Original Message- From: owner-m...@openbsd.org On Behalf Of Roderick Sent: 24 September 2020 14:33 To: Hakan E. Duran Cc: misc@openbsd.org Subject: Re: ideas needed for password management (1) I would separate login to Email (smtp+imap authentication) from any other login (to machine) as many people told you here. (2) Perhaps write a cgi script? But that needs a lot of care due to security. (3) offer a web mailer that has this service? Prayer webmail has this, but it looks very primitive, just calls a program as I remember, and seems not to be mantained. Perhaps other webmail has it? Rod. On Wed, 23 Sep 2020, Hakan E. Duran wrote: > Dear all, > > I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP and Dovecot. The users will be the Unix users on the VPS for simplicity. However, I now have the problem of allowing users setting and modifying their own passwords (perhaps even their usernames) without giving them ssh access to the host. I don't have technical background and training for this type of work; however, I love doing this, please be gentle with me. The mail server is a hobby that is intended for family and a few friends, and is not mission critical. > > I thought something like Webmin could work for this purpose, but without root access of course. However, I am not sure if such a tool exists. Any other ideas are welcome. > > Thank you so much in advance for your suggestions. > > Hakan > >
Re: ideas needed for password management
I may have misunderstoor OPs problem. Ben Raskin.
Re: ideas needed for password management
(1) I would separate login to Email (smtp+imap authentication) from any other login (to machine) as many people told you here. (2) Perhaps write a cgi script? But that needs a lot of care due to security. (3) offer a web mailer that has this service? Prayer webmail has this, but it looks very primitive, just calls a program as I remember, and seems not to be mantained. Perhaps other webmail has it? Rod. On Wed, 23 Sep 2020, Hakan E. Duran wrote: Dear all, I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP and Dovecot. The users will be the Unix users on the VPS for simplicity. However, I now have the problem of allowing users setting and modifying their own passwords (perhaps even their usernames) without giving them ssh access to the host. I don't have technical background and training for this type of work; however, I love doing this, please be gentle with me. The mail server is a hobby that is intended for family and a few friends, and is not mission critical. I thought something like Webmin could work for this purpose, but without root access of course. However, I am not sure if such a tool exists. Any other ideas are welcome. Thank you so much in advance for your suggestions. Hakan
Re: ideas needed for password management
On Thu, 24 Sep 2020 09:29:37 -0400 (EDT), ben wrote: > You don't. Pass is a password manager. It stores passwords for later > use. Indeed. So how is pass relevant to OP's problem?
Re: ideas needed for password management
You don't. Pass is a password manager. It stores passwords for later use. Ben Raskin.
Re: ideas needed for password management
On Thu, 24 Sep 2020 08:56:01 -0400 (EDT), ben wrote: > The pass program for most UNIX based operating systems > should be available. I'm pretty sure on OpenBSD it's > under a different name, so query for package names > with 'pass' in them. Out of curiosity, how do you interface OpenSMTPD/Dovecot with pass?
Re: ideas needed for password management
The pass program for most UNIX based operating systems should be available. I'm pretty sure on OpenBSD it's under a different name, so query for package names with 'pass' in them. Ben Raskin.
Re: ideas needed for password management
On 2020-09-24, Hakan E. Duran wrote: > I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP > and Dovecot. The users will be the Unix users on the VPS for simplicity. > However, I now have the problem of allowing users setting and modifying > their own passwords (perhaps even their usernames) without giving them > ssh access to the host. I don't have technical background and training > for this type of work; however, I love doing this, please be gentle with > me. The mail server is a hobby that is intended for family and a few > friends, and is not mission critical. The email daemons don't have to use the passwords associated with Unix accounts, they can do their own authentication against some database (LDAP/SQL). With this it will be a lot easier to allow self-service password changes via a web-based system as you're just updating a database record. FWIW on dedicated mailservers I find it simpler to skip the separate Unix user accounts completely and just use a single uid for mail storage, especially if using shared mailboxes. It's not difficult to setup - https://wiki.dovecot.org/VirtualUsers
Re: ideas needed for password management
> However, I now have the problem of allowing users setting and > modifying their own passwords (perhaps even their usernames) without > giving them ssh access to the host. It will be a bit more tricky if you want them to be able to change their usernames and such, but it's possible to modify sshd to force a command for a specific group. For instance if you create a group 'passwdonly', add the users to it, and place a: Match Group passwdonly ForceCommand /usr/bin/passwd At the bottom of /etc/ssh/sshd_config it makes the only thing they can do when they SSH is to be able to change their password. If you have password authentication turned off you can turn it on for that specific group as well. You can also write a custom script to prompt them for what they wish to do, change their username and such and force that to be the command. > I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP > and Dovecot. The users will be the Unix users on the VPS for > simplicity. In this instance, if you wish to expose a web interface for changing of usernames and passwords, going with virtual users backed by a SQL database may be easier and less likely to compromise the host. I know you had mentioned not having a lot of experience in this area, but if it's a hobby the bit of programming involved may be fun. I hope this helps. -- Mitch Riedstra
Re: ideas needed for password management
Thank you Mitch for the ideas! Please see below: On 20/09/23 10:30PM, Mitchell Riedstra wrote: > > > However, I now have the problem of allowing users setting and > > modifying their own passwords (perhaps even their usernames) without > > giving them ssh access to the host. > > It will be a bit more tricky if you want them to be able to change > their usernames and such, but it's possible to modify sshd to force a > command for a specific group. > > For instance if you create a group 'passwdonly', add the users to it, > and place a: > > Match Group passwdonly > ForceCommand /usr/bin/passwd > > At the bottom of /etc/ssh/sshd_config it makes the only thing they can > do when they SSH is to be able to change their password. > > If you have password authentication turned off you can turn it on for > that specific group as well. > > You can also write a custom script to prompt them for what they wish to > do, change their username and such and force that to be the command. > I learned a lot from these few lines and I appreciate that. The users of this service will not know what ssh is and they will probably do most of the tasks by their smartphones. That's why I am guessign the web interface may be the most extreme they may tolerate, lol. > > > I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP > > and Dovecot. The users will be the Unix users on the VPS for > > simplicity. > > In this instance, if you wish to expose a web interface for changing > of usernames and passwords, going with virtual users backed by > a SQL database may be easier and less likely to compromise the host. > > I know you had mentioned not having a lot of experience in this area, > but if it's a hobby the bit of programming involved may be fun. It looks like I gotta do some reading to learn how to do this. I wonder if Rainloop would be simpler or more work. I guess I am a lazy hobbyist, lol! Thanks again for the brainstorming, I truly appreciate it. Hakan signature.asc Description: PGP signature
ideas needed for password management
Dear all, I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP and Dovecot. The users will be the Unix users on the VPS for simplicity. However, I now have the problem of allowing users setting and modifying their own passwords (perhaps even their usernames) without giving them ssh access to the host. I don't have technical background and training for this type of work; however, I love doing this, please be gentle with me. The mail server is a hobby that is intended for family and a few friends, and is not mission critical. I thought something like Webmin could work for this purpose, but without root access of course. However, I am not sure if such a tool exists. Any other ideas are welcome. Thank you so much in advance for your suggestions. Hakan
