Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Password Policy Inner Workings? (solved) (Any pointers on resetting the counter?)
  •  
sio_yknow

Messages: 3
Karma: 0
Send a private message to this user
Hi all,

After the heartbleed vulnerability, it was decided to change all of our passwords. Given that we were only exposed to the vulnerable version for a short time and we have many users travelling (~100), I decided to give them fair notice to change their own passwords. I have already rekeyed our SSL cert.

Anyway, I set the password policy expiration to 3 weeks and sent an email to everyone explaining how this was going to go. The dutiful/techy people changed their passwords immediately. Unfortunately, they are still subject to the 21 day password policy (i.e. it's not a one-off until I change it again - their counters have been reset to the global 21 day policy) and so they are still getting alerts to say that their password will expire.

I've looked into the mechanism, and as far as I can tell the new password is saved in users.cfg, but there is no reference to password age there, unless the age is part of the hash somehow. Password policy, being domain specific, is likely to be saved within the domain specific tree, I would think. The global settings for the domain are indeed in the domain section on mailserver.cfg, but for individual users it's likely to be in the user's own directory.

After some experimentation, I have narrowed it down to stats.usr, possibly line 9. This is a pure guess though, but line 9 in particular has the following hex string for a test user: 535a16a8 which corresponds to decimal 1398412968 which is the epoch value for when they changed their password:

date --date="@1398412968"
Fri Apr 25 09:02:48 IST 2014

To my question - has anyone tried changing this on the command line (using sed or similar)? I'm worried there's a checksum somewhere that I've missed.

Also, has anyone tried setting it for the future? If I did this, then I could set up a per-user policy i.e. the guys that have already changed their password could have their password change date be set to three weeks from now.

Best regards,

Simon

[Updated on: Fri, 25 July 2014 11:18]

  •  
sio_yknow

Messages: 3
Karma: 0
Send a private message to this user

In case anyone comes across this, it doesn't seem to necessarily be line 9 in every case. It would seem to be the line starting with a lower case h, which on some of my accounts is on line 10.

Regards,

Simon
  •  
sio_yknow

Messages: 3
Karma: 0
Send a private message to this user
I've just had the chance to come back to this and my earlier investigations, while entertaining... well...

xkcd.com/386/

The date I picked out from stats.usr just corresponds to the last time a user logged into webmail, and given that many of our users are using Thunderbird without Kerio integration, their login to webmail was rare and was coincident with them changing their password. Hence the confusion.

The information is now readily apparent. I can only imagine that these fields were unavailable until the password policy had gone through an iteration, or perhaps I just missed them completely.

There's a whole new section in users.cfg relating to password policy and possibly further functionality.
<list name="UserAdditionalData">

Each user is listed. A small number of users have a
LastPasswordChange value of 1397741417, which using date --date="<_at_>1397741417" from above shows that this was the exact time of the passsword policy being implemented, implying they have not changed their passwords since the password policy was enabled and then ultimately suspended for further investigation.

I have never had cause to modify the users.cfg outside the Kerio environment, but if I'm in this position again then that's where I'll look.

Best regards,

Simon
Previous Topic: Mozilla Thunderbird - invalid username/password?
Next Topic: Define Syncing Period
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Oct 18 07:37:16 CEST 2017

Total time taken to generate the page: 0.00418 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.