OPIE OTP Support Patches for the Qualcomm Popper Daemon, Version 1.2 ==================================================================== This patch file, along with the OPIE software, should allow you to build a version of the Qualcomm Popper daemon (we used a beta of v2.1.4, YMMV) that supports OTP authentication. We are providing them as an example of how you might use OPIE to add OTP authentication to a POP server daemon. Please refer to the OPIE README file for information on OPIE, the license for OPIE software, and for a notice that there is NO WARRANTY of any kind on the software, including these patches. Installation ------------ First, obtain and compile the OPIE software. We built and tested these patches with OPIE 2.12. Other versions may or may not work. Copy the files 'opie.h' and 'libopie.a' into the qpopper2.1.4 directory where you have the Popper source code. From the parent of that directory, use patch(1) to apply this patch. Edit the appropriate Makefile for your system to add '-DOPIE=1' to the flags passed to the C compile (this will probably be on a CFLAGS line) and to add '-L. -lopie' to the flags passed to the loader/link editor (this will probably be either a LDFLAGS or LIBS line). Then build and install the Popper daemon normally. If you would like to experiment with POP3 using OTP without affecting other POP3 clients, you may wish to use an alternate service port for your POP3 server. Add a line to your /etc/services file that reads: pop3-otp 1234/tcp # POP3 with OTP authentication Then, instead of specifying 'pop3' for the service in your inetd.conf file, specify 'pop3-otp'. (Note that this MUST be done on BOTH client AND server, and that you can substitute whatever number you want for 1234, but it MUST match on all systems) History ------- Modified by cmetz for version 1.2. Made sure we ran opieverify() once we got a PASS command (else sequence won't get decremented if AUTHFILE/NONAUTHFILE checks fail!). Fixed cleartext password logic so it should now actually work. Add more documentation. Modified at NRL for version 1.1. Added some documentation, changed original directory names to be more patch friendly. Created at NRL. *** qpopper2.1.4/pop_init.c Wed Jun 14 16:55:35 1995 --- qpopper2.1.4/pop_init.c Tue Dec 26 16:30:33 1995 *************** *** 51,54 **** --- 51,59 ---- */ + #if OPIE + #include "opie.h" + extern int af_pwok; + #endif /* OPIE */ + #ifdef STRDUP #include *************** *** 104,107 **** --- 109,116 ---- #endif /* KERBEROS */ + + #if OPIE + af_pwok = opieaccessfile(p->client); + #endif /* OPIE */ return(POP_SUCCESS); *** qpopper2.1.4/pop_pass.c Mon Oct 2 13:25:34 1995 --- qpopper2.1.4/pop_pass.c Tue Dec 26 16:29:41 1995 *************** *** 19,22 **** --- 19,29 ---- #include + + #if OPIE + #include "opie.h" + extern int pwok; + extern struct opie opiestate; + #endif /* OPIE */ + #include "popper.h" *************** *** 507,514 **** --- 514,532 ---- #endif + #if OPIE + if (opieverify(&opiestate, p->pop_parm[1])) { + if (pwok) + #endif /* OPIE */ if (auth_user(p, pwp) != POP_SUCCESS) { sleep(10); return(POP_FAILURE); } + #if OPIE + pop_msg(p, POP_FAILURE, pwerrmsg, p->user); + sleep(10); + return(POP_FAILURE); + } + #endif /* OPIE */ + #ifdef SECURENISPLUS *** qpopper2.1.4/pop_user.c Thu Sep 21 18:19:12 1995 --- qpopper2.1.4/pop_user.c Tue Dec 26 16:28:04 1995 *************** *** 34,37 **** --- 34,43 ---- #endif + #if OPIE + #include "opie.h" + int pwok, af_pwok; + struct opie opiestate; + #endif /* OPIE */ + #include "popper.h" *************** *** 55,58 **** --- 61,68 ---- datum key, value; # endif + #if OPIE + struct passwd *pw; + char prompt[OPIE_CHALLENGE_MAX + 1]; + #endif /* OPIE */ /* Save the user name */ *************** *** 127,131 **** --- 137,154 ---- /* Tell the user that the password is required */ + #if OPIE + if (((pw = getpwnam(p->user)) == NULL) || (pw->pw_passwd == NULL) || + (*pw->pw_passwd == '\0')) + return (pop_auth_fail(p, POP_FAILURE, pwerrmsg, p->user)); + + pwok = af_pwok && opiealways(pw->pw_dir); + + opiechallenge(&opiestate, p->user, prompt); + + return (pop_msg(p,POP_SUCCESS,"OTP response %s %s for %s.", prompt, + pwok ? "requested" : "required", p->user)); + #else /* OPIE */ return (pop_msg(p,POP_SUCCESS,"Password required for %s.",p->user)); + #endif /* OPIE */ } *** pop_pass.c.orig Mon Oct 2 13:25:34 1995 --- pop_pass.c Sat Jan 13 15:23:22 1996 *************** *** 19,22 **** --- 19,29 ---- #include + + #if OPIE + #include "opie.h" + extern int pwok; + extern struct opie opiestate; + #endif /* OPIE */ + #include "popper.h" *************** *** 444,447 **** --- 451,457 ---- { struct passwd pw, *pwp; + #if OPIE + int opieresult = -1; + #endif /* OPIE */ #ifdef SECURENISPLUS *************** *** 453,456 **** --- 463,470 ---- #endif + #if OPIE + opieresult = opieverify(&opiestate, p->pop_parm[1]); + #endif /* OPIE */ + #ifdef NONAUTHFILE /* Is the user not authorized to use POP? */ *************** *** 507,514 **** --- 521,540 ---- #endif + #if OPIE + if (opieresult) { + if (!pwok) { + pop_msg(p, POP_FAILURE, pwerrmsg, p->user); + sleep(10); + return(POP_FAILURE); + } + #endif /* OPIE */ if (auth_user(p, pwp) != POP_SUCCESS) { sleep(10); return(POP_FAILURE); } + #if OPIE + } + #endif /* OPIE */ + #ifdef SECURENISPLUS