No OneTemporary
Actions

Size

41 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/composer.json-dist b/composer.json-dist
	index 0ca230fb5..1e5655a30 100644
	--- a/composer.json-dist
	+++ b/composer.json-dist
	@@ -1,31 +1,32 @@
	{
	"name": "roundcube/roundcubemail",
	"description": "The Roundcube Webmail suite",
	"license": "GPL-3.0+",
	"repositories": [
	{
	"type": "composer",
	"url": "https://plugins.roundcube.net/"
	}
	],
	"require": {
	"php": ">=5.4.0",
	"pear/pear-core-minimal": "~1.10.1",
	"pear/auth_sasl": "~1.1.0",
	"pear/net_idna2": "~0.2.0",
	"pear/mail_mime": "~1.10.0",
	"pear/net_smtp": "~1.8.1",
	"pear/crypt_gpg": "~1.6.3",
	"pear/net_sieve": "~1.4.3",
	"roundcube/plugin-installer": "~0.1.6",
	"masterminds/html5": "~2.3.0",
	"endroid/qr-code": "~1.6.5"
	},
	"require-dev": {
	"phpunit/phpunit": "^4.8.36 \|\| ^5.7.21"
	},
	"suggest": {
	"pear/net_ldap2": "~2.2.0 required for connecting to LDAP",
	- "kolab/net_ldap3": "~1.0.6 required for connecting to LDAP"
	+ "kolab/net_ldap3": "~1.0.6 required for connecting to LDAP",
	+ "mkopinsky/zxcvbn-php": "^4.4.2 required for Zxcvbn password strength driver"
	}
	}
	diff --git a/plugins/password/README b/plugins/password/README
	index 2b2fc26ee..a14a80c45 100644
	--- a/plugins/password/README
	+++ b/plugins/password/README
	@@ -1,428 +1,436 @@
	-----------------------------------------------------------------------
	Password Plugin for Roundcube
	-----------------------------------------------------------------------
	Plugin that adds a possibility to change user password using many
	methods (drivers) via Settings/Password tab.
	-----------------------------------------------------------------------
	This program is free software: you can redistribute it and/or modify
	it under the terms of the GNU General Public License as published by
	the Free Software Foundation, either version 3 of the License, or
	(at your option) any later version.

	This program is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	GNU General Public License for more details.

	You should have received a copy of the GNU General Public License
	along with this program. If not, see http://www.gnu.org/licenses/.

	@author Aleksander Machniak <alec@alec.pl>
	@author <see driver files for driver authors>
	-----------------------------------------------------------------------

	1. Configuration
	2. Drivers
	2.1. Database (sql)
	2.2. Cyrus/SASL (sasl)
	2.3. Poppassd/Courierpassd (poppassd)
	2.4. LDAP (ldap)
	2.5. DirectAdmin Control Panel (directadmin)
	2.6. cPanel
	2.6.1. cPanel WHM (cpanel)
	2.6.2. cPanel Webmail (cpanel_webmail)
	2.7. XIMSS/Communigate (ximms)
	2.8. Virtualmin (virtualmin)
	2.9. hMailServer (hmail)
	2.10. PAM (pam)
	2.11. Chpasswd (chpasswd)
	2.12. LDAP - no PEAR (ldap_simple)
	2.13. XMail (xmail)
	2.14. Pw (pw_usermod)
	2.15. domainFACTORY (domainfactory)
	2.16. DBMail (dbmail)
	2.17. Expect (expect)
	2.18. Samba (smb)
	2.19. Vpopmail daemon (vpopmaild)
	2.20. Plesk (Plesk RPC-API)
	2.21. Kpasswd
	2.22. Modoboa
	3. Driver API
	4. Sudo setup


	1. Configuration
	----------------

	Copy config.inc.php.dist to config.inc.php and set the options as described
	within the file.


	2. Drivers
	----------


	2.1. Password Change Drivers
	----------------------------

	Password plugin supports many password change mechanisms which are
	handled by included drivers. Just pass driver name in 'password_driver' option.

	2.1.1. Database (sql)
	---------------------

	You can specify which database to connect by 'password_db_dsn' option and
	what SQL query to execute by 'password_query'. See config.inc.php.dist file for
	more info.

	Example implementations of an update_passwd function:

	- This is for use with LMS (http://lms.org.pl) database and postgres:

	CREATE OR REPLACE FUNCTION update_passwd(hash text, account text) RETURNS integer AS $$
	DECLARE
	res integer;
	BEGIN
	UPDATE passwd SET password = hash
	WHERE login = split_part(account, '@', 1)
	AND domainid = (SELECT id FROM domains WHERE name = split_part(account, '@', 2))
	RETURNING id INTO res;
	RETURN res;
	END;
	$$ LANGUAGE plpgsql SECURITY DEFINER;

	- This is for use with a SELECT update_passwd(%o,%c,%u) query
	Updates the password only when the old password matches the MD5 password
	in the database

	CREATE FUNCTION update_password (oldpass text, cryptpass text, user text) RETURNS text
	MODIFIES SQL DATA
	BEGIN
	DECLARE currentsalt varchar(20);
	DECLARE error text;
	SET error = 'incorrect current password';
	SELECT substring_index(substr(user.password,4),_latin1'$',1) INTO currentsalt FROM users WHERE username=user;
	SELECT '' INTO error FROM users WHERE username=user AND password=ENCRYPT(oldpass,currentsalt);
	UPDATE users SET password=cryptpass WHERE username=user AND password=ENCRYPT(oldpass,currentsalt);
	RETURN error;
	END

	Example SQL UPDATEs:

	- Plain text passwords:
	UPDATE users SET password=%p WHERE username=%u AND password=%o AND domain=%h LIMIT 1

	- Crypt text passwords:
	UPDATE users SET password=%c WHERE username=%u LIMIT 1

	- Use a MYSQL crypt function (*nix only) with random 8 character salt
	UPDATE users SET password=ENCRYPT(%p,concat(_utf8'$1$',right(md5(rand()),8),_utf8'$')) WHERE username=%u LIMIT 1

	- MD5 stored passwords:
	UPDATE users SET password=MD5(%p) WHERE username=%u AND password=MD5(%o) LIMIT 1


	2.1.2. Cyrus/SASL (sasl)
	------------------------

	Cyrus SASL database authentication allows your Cyrus+Roundcube
	installation to host mail users without requiring a Unix Shell account!

	This driver only covers the "sasldb" case when using Cyrus SASL. Kerberos
	and PAM authentication mechanisms will require other techniques to enable
	user password manipulations.

	Cyrus SASL includes a shell utility called "saslpasswd" for manipulating
	user passwords in the "sasldb" database. This plugin attempts to use
	this utility to perform password manipulations required by your webmail
	users without any administrative interaction. Unfortunately, this
	scheme requires that the "saslpasswd" utility be run as the "cyrus"
	user - kind of a security problem since we have chosen to SUID a small
	script which will allow this to happen.

	This driver is based on the Squirrelmail Change SASL Password Plugin.
	See http://www.squirrelmail.org/plugin_view.php?id=107 for details.

	Installation:

	Change into the helpers directory. Edit the chgsaslpasswd.c file as is
	documented within it.

	Compile the wrapper program:
	gcc -o chgsaslpasswd chgsaslpasswd.c

	Chown the compiled chgsaslpasswd binary to the cyrus user and group
	that your browser runs as, then chmod them to 4550.

	For example, if your cyrus user is 'cyrus' and the apache server group is
	'nobody' (I've been told Redhat runs Apache as user 'apache'):

	chown cyrus:nobody chgsaslpasswd
	chmod 4550 chgsaslpasswd

	Stephen Carr has suggested users should try to run the scripts on a test
	account as the cyrus user eg;

	su cyrus -c "./chgsaslpasswd -p test_account"

	This will allow you to make sure that the script will work for your setup.
	Should the script not work, make sure that:
	1) the user the script runs as has access to the saslpasswd\|saslpasswd2
	file and proper permissions
	2) make sure the user in the chgsaslpasswd.c file is set correctly.
	This could save you some headaches if you are the paranoid type.


	2.1.3. Poppassd/Courierpassd (poppassd)
	---------------------------------------

	You can specify which host to connect to via 'password_pop_host' and
	what port via 'password_pop_port'. See config.inc.php.dist file for more info.


	2.1.4. LDAP (ldap)
	------------------

	See config.inc.php.dist file. Requires PEAR::Net_LDAP2 package.


	2.1.5. DirectAdmin Control Panel (directadmin)
	----------------------------------------------

	You can specify which host to connect to via 'password_directadmin_host' (don't
	forget to use tcp:// or ssl://) and what port via 'password_direactadmin_port'.
	The password enforcement with plenty customization can be done directly by
	DirectAdmin, please see http://www.directadmin.com/features.php?id=910
	See config.inc.php.dist file for more info.


	2.1.6. cPanel
	-------------

	cPanel offers various APIs. The `cpanel` driver is configured with and admin
	account. It can change user's passwords without access to the current password.
	See the next section.

	The `cpanel_webmail` driver authenticates as the current user and does not need
	an admin account. See 2.6.2.


	2.1.6.1. cPanel WHM (cpanel)
	----------------------------

	Install cPanel XMLAPI Client Class into Roundcube program/lib directory
	or any other place in PHP include path. You can get the class from
	https://raw.github.com/CpanelInc/xmlapi-php/master/xmlapi.php

	You can configure parameters for connection to cPanel's API interface.
	See config.inc.php.dist file for more info.


	2.1.6.2. cPanel Webmail (cpanel_webmail)
	----------------------------------------

	Specify the host to connect to via 'password_webmail_cpanel_host'. This driver
	comes with a minimal UAPI implementation and does not use the external xmlapi
	class. It requires php-curl extension.

	See config.inc.php.dist file for more info.


	2.1.7. XIMSS/Communigate (ximms)
	--------------------------------

	You can specify which host and port to connect to via 'password_ximss_host'
	and 'password_ximss_port'. See config.inc.php.dist file for more info.


	2.1.8. Virtualmin (virtualmin)
	------------------------------

	As in sasl driver this one allows to change password using shell
	utility called "virtualmin". See helpers/chgvirtualminpasswd.c for
	installation instructions. Requires virtualmin >= 4.09.


	2.1.9. hMailServer (hmail)
	--------------------------

	Requires PHP COM (Windows only). For access to hMail server on remote host
	you'll need to define 'hmailserver_remote_dcom' and 'hmailserver_server'.
	See config.inc.php.dist file for more info.


	2.1.10. PAM (pam)
	-----------------

	This driver is for changing passwords of shell users authenticated with PAM.
	Requires PECL's PAM exitension to be installed (http://pecl.php.net/package/PAM).


	2.1.11. Chpasswd (chpasswd)
	---------------------------

	Driver that adds functionality to change the systems user password via
	the 'chpasswd' command. See config.inc.php.dist file.

	Attached wrapper script (helpers/chpass-wrapper.py) restricts password changes
	to uids >= 1000 and can deny requests based on a blacklist.


	2.1.12. LDAP - no PEAR (ldap_simple)
	-------------------------------------

	It's rewritten ldap driver that doesn't require the Net_LDAP2 PEAR extension.
	It uses directly PHP's ldap module functions instead (as Roundcube does).

	This driver is fully compatible with the ldap driver, but
	does not require (or uses) the
	$config['password_ldap_force_replace'] variable.
	Other advantages:
	* Connects only once with the LDAP server when using the search user.
	* Does not read the DN, but only replaces the password within (that is
	why the 'force replace' is always used).


	2.1.13. XMail (xmail)
	----------------------

	Driver for XMail (www.xmailserver.org). See config.inc.php.dist file
	for configuration description.


	2.1.14. Pw (pw_usermod)
	------------------------

	Driver to change the systems user password via the 'pw usermod' command.
	See config.inc.php.dist file for configuration description.


	2.1.15. domainFACTORY (domainfactory)
	-------------------------------------

	Driver for the hosting provider domainFACTORY (www.df.eu).
	No configuration options.


	2.1.16. DBMail (dbmail)
	------------------------

	Driver that adds functionality to change the users DBMail password.
	It only works with dbmail-users on the same host where Roundcube runs
	and requires shell access and gcc in order to compile the binary
	(see instructions in chgdbmailusers.c file).
	See config.inc.php.dist file for configuration description.

	Note: DBMail users can also use sql driver.


	2.1.17. Expect (expect)
	------------------------

	Driver to change user password via the 'expect' command.
	See config.inc.php.dist file for configuration description.


	2.1.18. Samba (smb)
	--------------------

	Driver to change Samba user password via the 'smbpasswd' command.
	See config.inc.php.dist file for configuration description.


	2.1.19. Vpopmail daemon (vpopmaild)
	-------------------------------------

	Driver for the daemon of vpopmail. Vpopmail is used with qmail to
	enable virtual users that are saved in a database and not in /etc/passwd.

	Set $config['password_vpopmaild_host'] to the host where vpopmaild runs.

	Set $config['password_vpopmaild_port'] to the port of vpopmaild.

	Set $config['password_vpopmaild_timeout'] to the timeout used for the TCP
	connection to vpopmaild (You may want to set it higher on busy servers).


	2.1.20. Plesk (Plesk RPC-API)
	-----------------------------

	Driver for changing Passwords via Plesk RPC-API. This Driver also works with
	Parallels Plesk Automation (PPA).

	You need to allow the IP of the Roundcube-Server for RPC-Calls in the Panel.

	Set $config['password_plesk_host'] to the Hostname / IP where Plesk runs
	Set your Admin or RPC User: $config['password_plesk_user']
	Set the Password of the User: $config['password_plesk_pass']
	Set $config['password_plesk_rpc_port'] for the RPC-Port. Usually its 8443
	Set the RPC-Path in $config['password_plesk_rpc_path']. Normally this is: enterprise/control/agent.php.


	2.1.21. Kpasswd
	---------------

	Driver to change the password in Kerberos environments via the 'kpasswd' command.
	See config.inc.php.dist file for configuration description.


	2.1.22. Modoboa
	---------------

	Driver to change the password in Modoboa servers.
	See config.inc.php.dist file for configuration description.


	2.2. Password Strength Drivers
	------------------------------

	Password plugin supports many password strength checking mechanisms which are
	handled by included drivers. Just pass driver name in 'password_strength_driver' option.


	+ 2.2.1. Zxcvbn
	+ -------------
	+
	+ Driver to use the Zxcvbn library to check password strength. Requires zxcvbn-php library.
	+
	+ Set $config['password_zxcvbn_min_score'] to define minimum acceptable password strength score.
	+
	+
	3. Driver API
	-------------

	Driver file (<driver_name>.php) must define rcube_<driver_name>_password class. Drivers should
	provide one or both of a public save() or check_strength() method.

	All password changing drivers (used in config `password_driver` - the password driver) must have
	a save() method. The same driver can also contain a check_strength() method or a separate driver
	containing this method can be used in `password_strength_driver` (the strength driver). To enable
	strength checks ensure `password_check_strength` is set to true.

	The save() method, used for changing the password has two arguments:
	First - current password, second - new password.
	This method should return PASSWORD_SUCCESS on success or any of PASSWORD_CONNECT_ERROR,
	PASSWORD_CRYPT_ERROR, PASSWORD_ERROR when driver was unable to change password.
	Extended result (as a hash-array with 'message' and 'code' items) can be returned
	too. See existing drivers in drivers/ directory for examples.

	Optionally a password driver can contain a compare() method which has three arguments:
	First - current password, second - test password, third - compare type.
	Compare type: PASSWORD_COMPARE_CURRENT - when comparing the test password with current password.
	PASSWORD_COMPARE_NEW - when comparing the current password with the test password.
	For PASSWORD_COMPARE_CURRENT it should return error text if user entered and real current password
	DO NOT MATCH. For PASSWORD_COMPARE_NEW it should return error text if user entered and real current
	password DO MATCH. Else it should return null (no error).

	The check_strength() method, used for checking password strength has one argument: new password.
	This method should return null on success or error message text on failure.

	Optionally a strength driver can contain a strength_rules() method. This has no arguments as returns
	a string, or array of strings explaining the password strength rules.


	4. Sudo setup
	-------------

	Some drivers that execute system commands (like chpasswd) require use of sudo command.
	Here's a sample for CentOS 7:

	# cat <<END >/etc/sudoers.d/99-roundcubemail
	apache ALL=NOPASSWD:/usr/sbin/chpasswd
	Defaults:apache !requiretty
	<<END

	Note: on different systems the username (here 'apache') may be different, e.g. www.
	Note: on some systems the disabling tty line may not be needed.
	diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist
	index b106bb0a7..e624d1323 100644
	--- a/plugins/password/config.inc.php.dist
	+++ b/plugins/password/config.inc.php.dist
	@@ -1,494 +1,501 @@
	<?php

	// Password Plugin options
	// -----------------------
	// A driver to use for password change. Default: "sql".
	// See README file for list of supported driver names.
	$config['password_driver'] = 'sql';

	// A driver to use for checking password strength. Default: null.
	// Set password_check_strength to true to enable
	// See README file for list of supported driver names.
	$config['password_strength_driver'] = null;

	// Determine whether current password is required to change password.
	// Default: false.
	$config['password_confirm_current'] = true;

	// Require the new password to be a certain length.
	// set to blank to allow passwords of any length
	$config['password_minimum_length'] = 0;

	// Require the new password to contain a letter and punctuation character
	// Change to false to remove this check.
	$config['password_check_strength'] = false;

	// Enables logging of password changes into logs/password
	$config['password_log'] = false;

	// Comma-separated list of login exceptions for which password change
	// will be not available (no Password tab in Settings)
	$config['password_login_exceptions'] = null;

	// Array of hosts that support password changing.
	// Listed hosts will feature a Password option in Settings; others will not.
	// Example: array('mail.example.com', 'mail2.example.org');
	// Default is NULL (all hosts supported).
	$config['password_hosts'] = null;

	// Enables saving the new password even if it matches the old password. Useful
	// for upgrading the stored passwords after the encryption scheme has changed.
	$config['password_force_save'] = false;

	// Enables forcing new users to change their password at their first login.
	$config['password_force_new_user'] = false;

	// Default password hashing/crypting algorithm.
	// Possible options: des-crypt, ext-des-crypt, md5-crypt, blowfish-crypt,
	// sha256-crypt, sha512-crypt, md5, sha, smd5, ssha, samba, ad, dovecot, clear.
	// For details see password::hash_password() method.
	$config['password_algorithm'] = 'clear';

	// Password prefix (e.g. {CRYPT}, {SHA}) for passwords generated
	// using password_algorithm above. Default: empty.
	$config['password_algorithm_prefix'] = '';

	// Path for dovecotpw/doveadm-pw (if not in the $PATH).
	// Used for password_algorithm = 'dovecot'.
	// $config['password_dovecotpw'] = '/usr/local/sbin/doveadm pw'; // for dovecot-2.x
	$config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw'; // for dovecot-1.x

	// Dovecot password scheme.
	// Used for password_algorithm = 'dovecot'.
	$config['password_dovecotpw_method'] = 'CRAM-MD5';

	// Enables use of password with method prefix, e.g. {MD5}$1$LUiMYWqx$fEkg/ggr/L6Mb2X7be4i1/
	// when using password_algorithm=dovecot
	$config['password_dovecotpw_with_method'] = false;

	// Iteration count parameter for Blowfish-based hashing algo.
	// It must be between 4 and 31. Default: 12.
	// Be aware, the higher the value, the longer it takes to generate the password hashes.
	$config['password_blowfish_cost'] = 12;

	// Number of rounds for the sha256 and sha512 crypt hashing algorithms.
	// Must be at least 1000. If not set, then the number of rounds is left up
	// to the crypt() implementation. On glibc this defaults to 5000.
	// Be aware, the higher the value, the longer it takes to generate the password hashes.
	//$config['password_crypt_rounds'] = 50000;

	// This option temporarily disables the password change functionality.
	// Use it when the users database server is in maintenance mode or sth like that.
	// You can set it to TRUE/FALSE or a text describing the reason
	// which will replace the default.
	$config['password_disabled'] = false;

	// Various drivers/setups use different format of the username.
	// This option allows you to force specified format use. Default: '%u'.
	// Supported variables:
	// %u - full username,
	// %l - the local part of the username (in case the username is an email address)
	// %d - the domain part of the username (in case the username is an email address)
	// Note: This may no apply to some drivers implementing their own rules, e.g. sql.
	$config['password_username_format'] = '%u';


	// SQL Driver options
	// ------------------
	// PEAR database DSN for performing the query. By default
	// Roundcube DB settings are used.
	// Supported replacement variables:
	// %h - user's IMAP hostname
	// %n - hostname ($_SERVER['SERVER_NAME'])
	// %t - hostname without the first part
	// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
	// %z - IMAP domain (IMAP hostname without the first part)
	$config['password_db_dsn'] = '';

	// The SQL query used to change the password.
	// The query can contain the following macros that will be expanded as follows:
	// %p is replaced with the plaintext new password
	// %P is replaced with the crypted/hashed new password
	// according to configured password_method
	// %o is replaced with the old (current) password
	// %O is replaced with the crypted/hashed old (current) password
	// according to configured password_method
	// %h is replaced with the imap host (from the session info)
	// %u is replaced with the username (from the session info)
	// %l is replaced with the local part of the username
	// (in case the username is an email address)
	// %d is replaced with the domain part of the username
	// (in case the username is an email address)
	// Deprecated macros:
	// %c is replaced with the crypt version of the new password, MD5 if available
	// otherwise DES. More hash function can be enabled using the password_crypt_hash
	// configuration parameter.
	// %D is replaced with the dovecotpw-crypted version of the new password
	// %n is replaced with the hashed version of the new password
	// %q is replaced with the hashed password before the change
	// Escaping of macros is handled by this module.
	// Default: "SELECT update_passwd(%c, %u)"
	$config['password_query'] = 'SELECT update_passwd(%c, %u)';

	// By default the crypt() function which is used to create the %c
	// parameter uses the md5 algorithm (deprecated, use %P).
	// You can choose between: des, md5, blowfish, sha256, sha512.
	$config['password_crypt_hash'] = 'md5';

	// By default domains in variables are using unicode.
	// Enable this option to use punycoded names
	$config['password_idn_ascii'] = false;

	// Using a password hash for %n and %q variables (deprecated, use %P).
	// Determine which hashing algorithm should be used to generate
	// the hashed new and current password for using them within the
	// SQL query. Requires PHP's 'hash' extension.
	$config['password_hash_algorithm'] = 'sha1';

	// You can also decide whether the hash should be provided
	// as hex string or in base64 encoded format.
	$config['password_hash_base64'] = false;


	// Poppassd Driver options
	// -----------------------
	// The host which changes the password (default: localhost)
	// Supported replacement variables:
	// %n - hostname ($_SERVER['SERVER_NAME'])
	// %t - hostname without the first part
	// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
	// %h - IMAP host
	// %z - IMAP domain without first part
	// %s - domain name after the '@' from e-mail address provided at login screen
	$config['password_pop_host'] = 'localhost';

	// TCP port used for poppassd connections (default: 106)
	$config['password_pop_port'] = 106;


	// SASL Driver options
	// -------------------
	// Additional arguments for the saslpasswd2 call
	$config['password_saslpasswd_args'] = '';


	// LDAP and LDAP_SIMPLE Driver options
	// -----------------------------------
	// LDAP server name to connect to.
	// You can provide one or several hosts in an array in which case the hosts are tried from left to right.
	// Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com');
	// Default: 'localhost'
	$config['password_ldap_host'] = 'localhost';

	// LDAP server port to connect to
	// Default: '389'
	$config['password_ldap_port'] = '389';

	// TLS is started after connecting
	// Using TLS for password modification is recommended.
	// Default: false
	$config['password_ldap_starttls'] = false;

	// LDAP version
	// Default: '3'
	$config['password_ldap_version'] = '3';

	// LDAP base name (root directory)
	// Exemple: 'dc=exemple,dc=com'
	$config['password_ldap_basedn'] = 'dc=exemple,dc=com';

	// LDAP connection method
	// There are two connection methods for changing a user's LDAP password.
	// 'user': use user credential (recommended, require password_confirm_current=true)
	// 'admin': use admin credential (this mode require password_ldap_adminDN and password_ldap_adminPW)
	// Default: 'user'
	$config['password_ldap_method'] = 'user';

	// LDAP Admin DN
	// Used only in admin connection mode
	// Default: null
	$config['password_ldap_adminDN'] = null;

	// LDAP Admin Password
	// Used only in admin connection mode
	// Default: null
	$config['password_ldap_adminPW'] = null;

	// LDAP user DN mask
	// The user's DN is mandatory and as we only have his login,
	// we need to re-create his DN using a mask
	// '%login' will be replaced by the current roundcube user's login
	// '%name' will be replaced by the current roundcube user's name part
	// '%domain' will be replaced by the current roundcube user's domain part
	// '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
	// Exemple: 'uid=%login,ou=people,dc=exemple,dc=com'
	$config['password_ldap_userDN_mask'] = 'uid=%login,ou=people,dc=exemple,dc=com';

	// LDAP search DN
	// The DN roundcube should bind with to find out user's DN
	// based on his login. Note that you should comment out the default
	// password_ldap_userDN_mask setting for this to take effect.
	// Use this if you cannot specify a general template for user DN with
	// password_ldap_userDN_mask. You need to perform a search based on
	// users login to find his DN instead. A common reason might be that
	// your users are placed under different ou's like engineering or
	// sales which cannot be derived from their login only.
	$config['password_ldap_searchDN'] = 'cn=roundcube,ou=services,dc=example,dc=com';

	// LDAP search password
	// If password_ldap_searchDN is set, the password to use for
	// binding to search for user's DN. Note that you should comment out the default
	// password_ldap_userDN_mask setting for this to take effect.
	// Warning: Be sure to set approperiate permissions on this file so this password
	// is only accesible to roundcube and don't forget to restrict roundcube's access to
	// your directory as much as possible using ACLs. Should this password be compromised
	// you want to minimize the damage.
	$config['password_ldap_searchPW'] = 'secret';

	// LDAP search base
	// If password_ldap_searchDN is set, the base to search in using the filter below.
	// Note that you should comment out the default password_ldap_userDN_mask setting
	// for this to take effect.
	$config['password_ldap_search_base'] = 'ou=people,dc=example,dc=com';

	// LDAP search filter
	// If password_ldap_searchDN is set, the filter to use when
	// searching for user's DN. Note that you should comment out the default
	// password_ldap_userDN_mask setting for this to take effect.
	// '%login' will be replaced by the current roundcube user's login
	// '%name' will be replaced by the current roundcube user's name part
	// '%domain' will be replaced by the current roundcube user's domain part
	// '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
	// Example: '(uid=%login)'
	// Example: '(&(objectClass=posixAccount)(uid=%login))'
	$config['password_ldap_search_filter'] = '(uid=%login)';

	// LDAP password hash type
	// Standard LDAP encryption type which must be one of: crypt,
	// ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, ad, cram-md5 (dovecot style) or clear.
	// Set to 'default' if you want to use method specified in password_algorithm option above.
	// Multiple password Values can be generated by concatenating encodings with a +. E.g. 'cram-md5+crypt'
	// Default: 'crypt'.
	$config['password_ldap_encodage'] = 'crypt';

	// LDAP password attribute
	// Name of the ldap's attribute used for storing user password
	// Default: 'userPassword'
	$config['password_ldap_pwattr'] = 'userPassword';

	// LDAP password force replace
	// Force LDAP replace in cases where ACL allows only replace not read
	// See http://pear.php.net/package/Net_LDAP2/docs/latest/Net_LDAP2/Net_LDAP2_Entry.html#methodreplace
	// Default: true
	$config['password_ldap_force_replace'] = true;

	// LDAP Password Last Change Date
	// Some places use an attribute to store the date of the last password change
	// The date is meassured in "days since epoch" (an integer value)
	// Whenever the password is changed, the attribute will be updated if set (e.g. shadowLastChange)
	$config['password_ldap_lchattr'] = '';

	// LDAP Samba password attribute, e.g. sambaNTPassword
	// Name of the LDAP's Samba attribute used for storing user password
	$config['password_ldap_samba_pwattr'] = '';

	// LDAP Samba Password Last Change Date attribute, e.g. sambaPwdLastSet
	// Some places use an attribute to store the date of the last password change
	// The date is meassured in "seconds since epoch" (an integer value)
	// Whenever the password is changed, the attribute will be updated if set
	$config['password_ldap_samba_lchattr'] = '';

	// LDAP PPolicy Driver options
	// -----------------------------------

	// LDAP Change password command - filename of the perl script
	// Example: 'change_ldap_pass.pl'
	$config['password_ldap_ppolicy_cmd'] = 'change_ldap_pass.pl';

	// LDAP URI
	// Example: 'ldap://ldap.example.com/ ldaps://ldap2.example.com:636/'
	$config['password_ldap_ppolicy_uri'] = 'ldap://localhost/';

	// LDAP base name (root directory)
	// Exemple: 'dc=exemple,dc=com'
	$config['password_ldap_ppolicy_basedn'] = 'dc=example,dc=com';

	$config['password_ldap_ppolicy_searchDN'] = 'cn=someuser,dc=example,dc=com';

	$config['password_ldap_ppolicy_searchPW'] = 'secret';

	// LDAP search filter
	// Example: '(uid=%login)'
	// Example: '(&(objectClass=posixAccount)(uid=%login))'
	$config['password_ldap_ppolicy_search_filter'] = '(uid=%login)';

	// CA Certificate file if in URI is LDAPS connection
	$config['password_ldap_ppolicy_cafile'] = '/etc/ssl/cacert.crt';



	// DirectAdmin Driver options
	// --------------------------
	// The host which changes the password
	// Use 'ssl://host' instead of 'tcp://host' when running DirectAdmin over SSL.
	// The host can contain the following macros that will be expanded as follows:
	// %h is replaced with the imap host (from the session info)
	// %d is replaced with the domain part of the username (if the username is an email)
	$config['password_directadmin_host'] = 'tcp://localhost';

	// TCP port used for DirectAdmin connections
	$config['password_directadmin_port'] = 2222;


	// vpopmaild Driver options
	// -----------------------
	// The host which changes the password
	$config['password_vpopmaild_host'] = 'localhost';

	// TCP port used for vpopmaild connections
	$config['password_vpopmaild_port'] = 89;

	// Timeout used for the connection to vpopmaild (in seconds)
	$config['password_vpopmaild_timeout'] = 10;


	// cPanel Driver options
	// --------------------------
	// The cPanel Host name
	$config['password_cpanel_host'] = 'host.domain.com';

	// The cPanel admin username
	$config['password_cpanel_username'] = 'username';

	// The cPanel admin password
	$config['password_cpanel_password'] = 'password';

	// The cPanel admin hash
	// If you prefer to use a hash (Remote Access Key) instead of plain password, enter it below.
	// Hash takes precedence over password auth.
	// You can generate a Remote Access Key in WHM -> Clusters -> Remote Access Key
	$config['password_cpanel_hash'] = '';

	// The cPanel port to use
	$config['password_cpanel_port'] = 2087;


	// cPanel Webmail Driver options
	// -----------------------------
	// The cPanel Host name
	$config['password_cpanel_webmail_host'] = 'host.domain.com';

	// The cPanel port to use
	$config['password_cpanel_webmail_port'] = 2096;


	// XIMSS (Communigate server) Driver options
	// -----------------------------------------
	// Host name of the Communigate server
	$config['password_ximss_host'] = 'mail.example.com';

	// XIMSS port on Communigate server
	$config['password_ximss_port'] = 11024;


	// chpasswd Driver options
	// ---------------------
	// Command to use (see "Sudo setup" in README)
	$config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpasswd 2> /dev/null';


	// XMail Driver options
	// ---------------------
	$config['xmail_host'] = 'localhost';
	$config['xmail_user'] = 'YourXmailControlUser';
	$config['xmail_pass'] = 'YourXmailControlPass';
	$config['xmail_port'] = 6017;


	// hMail Driver options
	// -----------------------
	// Remote hMailServer configuration
	// true: HMailserver is on a remote box (php.ini: com.allow_dcom = true)
	// false: Hmailserver is on same box as PHP
	$config['hmailserver_remote_dcom'] = false;
	// Windows credentials
	$config['hmailserver_server'] = array(
	'Server' => 'localhost', // hostname or ip address
	'Username' => 'administrator', // windows username
	'Password' => 'password' // windows user password
	);


	// pw_usermod Driver options
	// --------------------------
	// Use comma delimited exlist to disable password change for users.
	// See "Sudo setup" in README file.
	$config['password_pw_usermod_cmd'] = 'sudo /usr/sbin/pw usermod -h 0 -n';


	// DBMail Driver options
	// -------------------
	// Additional arguments for the dbmail-users call
	$config['password_dbmail_args'] = '-p sha512';


	// Expect Driver options
	// ---------------------
	// Location of expect binary
	$config['password_expect_bin'] = '/usr/bin/expect';

	// Location of expect script (see helpers/passwd-expect)
	$config['password_expect_script'] = '';

	// Arguments for the expect script. See the helpers/passwd-expect file for details.
	// This is probably a good starting default:
	// -telent -host localhost -output /tmp/passwd.log -log /tmp/passwd.log
	$config['password_expect_params'] = '';


	// smb Driver options
	// ---------------------
	// Samba host (default: localhost)
	// Supported replacement variables:
	// %n - hostname ($_SERVER['SERVER_NAME'])
	// %t - hostname without the first part
	// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
	$config['password_smb_host'] = 'localhost';
	// Location of smbpasswd binary (default: /usr/bin/smbpasswd)
	$config['password_smb_cmd'] = '/usr/bin/smbpasswd';

	// gearman driver options
	// ---------------------
	// Gearman host (default: localhost)
	$config['password_gearman_host'] = 'localhost';


	// Plesk/PPA Driver options
	// --------------------
	// You need to allow RCP for IP of roundcube-server in Plesk/PPA Panel

	// Plesk RCP Host
	$config['password_plesk_host'] = '10.0.0.5';

	// Plesk RPC Username
	$config['password_plesk_user'] = 'admin';

	// Plesk RPC Password
	$config['password_plesk_pass'] = 'password';

	// Plesk RPC Port
	$config['password_plesk_rpc_port'] = '8443';

	// Plesk RPC Path
	$config['password_plesk_rpc_path'] = 'enterprise/control/agent.php';


	// kasswd Driver options
	// ---------------------
	// Command to use
	$config['password_kpasswd_cmd'] = '/usr/bin/kpasswd';

	+
	// Modoboa Driver options
	// ---------------------
	// put token number from Modoboa server
	$config['password_modoboa_api_token'] = '';
	+
	+
	+// Zxcvbn Strength Driver options
	+// ------------------------------
	+// minimum Zxcvbn score required for new passwords (0 = weak, 4 = very strong, 3 = default)
	+$config['password_zxcvbn_min_score'] = 3;
	diff --git a/plugins/password/drivers/zxcvbn.php b/plugins/password/drivers/zxcvbn.php
	new file mode 100644
	index 000000000..f99ed5e20
	--- /dev/null
	+++ b/plugins/password/drivers/zxcvbn.php
	@@ -0,0 +1,57 @@
	+<?php
	+
	+/**
	+ * Zxcvb Password Strength Driver
	+ *
	+ * Driver to check password strength using Zxcvbn-PHP
	+ *
	+ * @version 0.1
	+ * @author Philip Weir
	+ *
	+ * Copyright (C) 2018 Philip Weir
	+ *
	+ * This program is free software: you can redistribute it and/or modify
	+ * it under the terms of the GNU General Public License as published by
	+ * the Free Software Foundation, either version 3 of the License, or
	+ * (at your option) any later version.
	+ *
	+ * This program is distributed in the hope that it will be useful,
	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	+ * GNU General Public License for more details.
	+ *
	+ * You should have received a copy of the GNU General Public License
	+ * along with this program. If not, see http://www.gnu.org/licenses/.
	+ */
	+
	+use ZxcvbnPhp\Zxcvbn;
	+
	+class rcube_zxcvbn_password
	+{
	+ function strength_rules()
	+ {
	+ $rcmail = rcmail::get_instance();
	+
	+ $rules = array();
	+ $rules[] = $rcmail->gettext('password.passwordweak');
	+ $rules[] = $rcmail->gettext('password.passwordnoseq');
	+ $rules[] = $rcmail->gettext('password.passwordnocommon');
	+
	+ return $rules;
	+ }
	+
	+ function check_strength($passwd)
	+ {
	+ $rcmail = rcmail::get_instance();
	+ $zxcvbn = new Zxcvbn();
	+ $strength = $zxcvbn->passwordStrength($passwd);
	+ $result = null;
	+
	+ if ($strength['score'] < $rcmail->config->get('password_zxcvbn_min_score', 3)) {
	+ $reason = $strength['feedback']['warning'];
	+ $result = $rcmail->gettext(array('name' => 'password.passwordweakreason', 'vars' => array('reason' => $reason)));
	+ }
	+
	+ return $result;
	+ }
	+}
	diff --git a/plugins/password/localization/en_US.inc b/plugins/password/localization/en_US.inc
	index 89790e53c..90edd6f08 100644
	--- a/plugins/password/localization/en_US.inc
	+++ b/plugins/password/localization/en_US.inc
	@@ -1,42 +1,45 @@
	<?php

	/*
	+-----------------------------------------------------------------------+
	\| plugins/password/localization/<lang>.inc \|
	\| \|
	\| Localization file of the Roundcube Webmail Password plugin \|
	\| Copyright (C) 2012-2013, The Roundcube Dev Team \|
	\| \|
	\| Licensed under the GNU General Public License version 3 or \|
	\| any later version with exceptions for skins & plugins. \|
	\| See the README file for a full license statement. \|
	\| \|
	+-----------------------------------------------------------------------+

	For translation see https://www.transifex.com/projects/p/roundcube-webmail/resource/plugin-password/
	*/

	$labels = array();
	$labels['changepasswd'] = 'Change password';
	$labels['curpasswd'] = 'Current Password:';
	$labels['newpasswd'] = 'New Password:';
	$labels['confpasswd'] = 'Confirm New Password:';

	$messages = array();
	$messages['nopassword'] = 'Please input new password.';
	$messages['nocurpassword'] = 'Please input current password.';
	$messages['passwordincorrect'] = 'Current password incorrect.';
	$messages['passwordinconsistency'] = 'Passwords do not match, please try again.';
	$messages['crypterror'] = 'Could not save new password. Encryption function missing.';
	$messages['connecterror'] = 'Could not save new password. Connection error.';
	$messages['internalerror'] = 'Could not save new password.';
	$messages['passwordshort'] = 'Password must be at least $length characters long.';
	$messages['passwordweak'] = 'Password must include at least one number and one punctuation character.';
	+$messages['passwordweakreason'] = 'Password too weak. $reason';
	+$messages['passwordnoseq'] = 'Password should not be a sequence like 123456 or QWERTY.';
	+$messages['passwordnocommon'] = 'Password should not be a common word or name.';
	$messages['passwordforbidden'] = 'Password contains forbidden characters.';
	$messages['firstloginchange'] = 'This is your first login. Please change your password.';
	$messages['disablednotice'] = 'The system is currently under maintenance and password change is not possible at the moment. Everything should be back to normal soon. We apologize for any inconvenience.';
	$messages['passwinhistory'] = 'This password has already been used previously.';
	$messages['samepasswd'] = 'New password have to be different from the old one.';
	$messages['passwdexpirewarning'] = 'Warning! Your password will expire soon, change it before $expirationdatetime.';
	$messages['passwdexpired'] = 'Your password has expired, you have to change it now!';
	$messages['passwdconstraintviolation'] = 'Password constraint violation. Password probably too weak.';

File Metadata

Mime Type: text/x-diff
Expires: Wed, Mar 18, 10:28 PM (8 h, 19 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 458423
Default Alt Text: (41 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions