Roundcube Password Change Plugin Enhancement

Roundcube has a nice little plugin named "password" that allows your users to change their passwords using the Roundcube Webmail interface. However, the current "drivers" do not work very well in a secure environment. Most drivers need you to have the "sudo" command installed and enabled for the Apache HTTP user. Others require that they be run as root.

The solution is this enhanced driver based on the "pw_usermod" driver. Mostly used on BSD systems like FreeBSD. Instead of Apache/PHP executing the password change command directly, the system will instead sign into SSH and perform the required function as a super user. An additional added benefit is that it can also perform password changes on remote machines if needed.

Requirements

  • Linux or FreeBSD running PHP and Apache - This driver was developed and tested on FreeBSD 9.0 with Apache 2.2 and PHP 5.4.
  • The PHP pecl-ssh2 extension must be installed.
  • Roundcube 0.8 or later - This driver was developed and tested on Roundcube 0.9.2.
  • SSH must allow connections from localhost and PHP must be allowed to make SSH connection.
  • The root user must be able to ssh into your server from localhost using public key identification.
  • The "password" plugin for Roundcube must already be installed and activated.

Installation

The archive contains additional files that must be added to the password plugin. Simply extract to your Roundcube installation as follows:

  • plugins/password/helpers/pw_usermod.php
  • plugins/password/drivers/ssh_pw_usermod.php
  • plugins/password/helpers/.htaccess

Then add the contents of "config.inc.php.extra" to "plugins/password/config.inc.php" and edit as needed.

$rcmail_config['password_ssh_pw_usermod_cmd'] = '/usr/local/www/roundcube/plugins/password/helpers/pw_usermod.php';
$rcmail_config['password_ssh_pw_usermod_host'] = 'localhost';
$rcmail_config['password_ssh_pw_usermod_port'] = 22;

Generate new SSH keys to allow the driver to work properly. The driver expects to find two files "ssh.key" and "ssh.key.pub" in the "helpers" directory. So for example, the following command will generate both files and place them into to "helpers" directory:

ssh-keygen -f /usr/local/www/roundcube/plugins/password/helpers/ssh.key

IMPORTANT: Do not use a key file password.

Ensure that "helpers/pw_usermod.php" has executable privileges and is owned by root with read only access.

chmod 700 /usr/local/www/roundcube/plugins/password/helpers/pw_usermod.php
chown root:root /usr/local/www/roundcube/plugins/password/helpers/pw_usermod.php

Finally, add the contents of "helpers/ssh.key.pub" to the "authorized_keys" file on your server:

cat /usr/local/www/roundcube/plugins/password/helpers/ssh.key.pub >> /root/.ssh/authorized_keys

Securing Your Server

As you would imagine, security here is going to be very important. You do not want outsiders calling the password change script directly and you do not want your private and public keys visible to the world. Ensure that Apache is reading and applying the directives specified in the .htaccess file included with this new driver.

Where to get it

The password change driver can be downloaded using the links below.

AttachmentSize
File Roundcube Password Change Driver13 KB