upgrade to popa3d 0.4; From: maintainer

This commit is contained in:
brad 2000-02-03 18:45:38 +00:00
parent bd0e50fbb0
commit ade0760a17
5 changed files with 28 additions and 42 deletions

View File

@ -1,11 +1,12 @@
# $OpenBSD: Makefile,v 1.2 1999/09/12 15:04:40 brad Exp $
# $OpenBSD: Makefile,v 1.3 2000/02/03 18:45:38 brad Exp $
DISTNAME= popa3d-0.3
DISTNAME= popa3d-0.4
CATEGORIES= net mail
MASTER_SITES= ftp://ftp.dataforce.net/pub/solar/ \
ftp://ftp.dqc.org/archive/
MASTER_SITES= http://www.openwall.com/popa3d/ \
ftp://ftp.openwall.com/popa3d \
ftp://ftp.dataforce.net/pub/solar/
MAINTAINER= dobbe@xs4all.nl
MAINTAINER= cd@sentia.nl
NO_CONFIGURE= yes
ALL_TARGET= popa3d
@ -14,6 +15,6 @@ do-install:
${INSTALL_PROGRAM} ${WRKSRC}/popa3d ${PREFIX}/libexec
post-install:
@${SH} ${PKGDIR}/INSTALL ${DISTNAME} POST-INSTALL
@PKG_PREFIX="${PREFIX}" sh ${PKGDIR}/INSTALL ${DISTNAME} POST-INSTALL
.include <bsd.port.mk>

View File

@ -1,3 +1,3 @@
MD5 (popa3d-0.3.tar.gz) = 53770ad90b763e2ba7721316e2da590f
RMD160 (popa3d-0.3.tar.gz) = c2cf6c16d9399987b7d478d273e5bc51bac099d8
SHA1 (popa3d-0.3.tar.gz) = 4025f549a4aa9e04768835b2ef1dfc6a3adf0990
MD5 (popa3d-0.4.tar.gz) = 4ce2ed209abeaeaae7724d8d24bb7dbf
RMD160 (popa3d-0.4.tar.gz) = 869ea1d25a626ce9248061894c47c1b1aacfdd9c
SHA1 (popa3d-0.4.tar.gz) = 47df1be78048b68b6ce7b552cccd76579d576710

View File

@ -1,5 +1,5 @@
--- params.h.orig Thu Mar 25 05:25:55 1999
+++ params.h Fri Sep 10 21:11:11 1999
--- params.h.orig Thu Feb 3 15:45:32 2000
+++ params.h Thu Feb 3 15:59:36 2000
@@ -33,7 +33,7 @@
* An unprivileged dummy user to run as before authentication. The user
* and its UID must not be used for any other purpose.
@ -9,22 +9,26 @@
/*
* Sessions will be closed if idle for longer than POP_TIMEOUT seconds.
@@ -58,19 +58,19 @@
/*
* Do we have shadow passwords? Note: password aging is not supported.
@@ -62,14 +62,15 @@
* Do we have shadow passwords? (Not for *BSD.)
* Note: password aging is not supported.
*/
-#define AUTH_SHADOW 1
+#define AUTH_SHADOW 0
/*
* A salt used to waste some CPU time on dummy crypt(3) calls and make
* it harder to check for valid usernames. Adjust it for your crypt(3).
* it harder (but still far from impossible, on most systems) to check
* for valid usernames. Adjust it for your crypt(3).
*/
-#define AUTH_DUMMY_SALT "xx"
+#define AUTH_DUMMY_SALT "$2a$07$DummyBlowfishSalt"
+/* echo -n "dummyblowfishsalt" | encrypt -b 7 */
+#define AUTH_DUMMY_SALT "$2a$07$.SZB2Z1e3w0fyDRiRd8k/eHANXfEMcuNLZNva1iUFCzjVF0CzHbkq"
/*
* Your mail spool directory. Note: only local (non-NFS) mode 755 mail
* Message to return to the client when authentication fails. You can
@@ -81,7 +82,7 @@
* Your mail spool directory. Note: only local (non-NFS) mode 775 mail
* spools are currently supported.
*/
-#define MAIL_SPOOL_PATH "/var/spool/mail"

View File

@ -1,17 +0,0 @@
--- pop_root.c.orig Thu Mar 25 05:25:55 1999
+++ pop_root.c Fri Sep 10 21:20:11 1999
@@ -140,8 +140,13 @@
*pw->pw_passwd == '*' || *pw->pw_passwd == '!')
crypt(pass, AUTH_DUMMY_SALT);
else
- if (!strcmp(crypt(pass, pw->pw_passwd), pw->pw_passwd))
+ if (!strcmp(crypt(pass, pw->pw_passwd), pw->pw_passwd)) {
+#if defined(__OpenBSD__)
+ /* zero out the password, obsd getpwnam cleaned up the rest */
+ bzero(pw->pw_passwd, strlen(pw->pw_passwd));
+#endif
return pw;
+ }
return NULL;
}

View File

@ -1,19 +1,17 @@
Security issues:
This port does not use "shadow" password authentication, because things
work a bit differently on BSD systems. The 'normal' authentication function
is patched to zero-out the password after authentication. Because OpenBSD's
getpwnam takes great care to cleanup, I'm fairly positive this patch achieves
the same level of security as all the trickery in function do_shadow_auth.
The author recommends that a seperate user 'popa3d' is created. However,
for ease of installation this port uses 'nobody'. Don't use 'nobody' for
anything else, or recompile popa3d to use 'popa3d' and create that user
yourself.
The onetime use of strcmp seems correct. One parameter is 'pw->passwd',
obtained from a call to getpwnam. The other parameter is 'pass', which is
derived from an input-buffer of which apop3d takes care not to overrun.
derived from an input-buffer of which popa3d takes care not to overrun.
sprintf is used once. Its parameters are 'MAIL_SPOOL_PATH', which is a
compile-time constant and 'mailbox', which is the username, derived from
the password-file.
One more time: POP3 is inherently insecure. Passwords are sent in cleartext,
everytime a user checks his mailbox. apop3d does not have APOP support.
everytime a user checks his mailbox. popa3d does not have APOP support.