On 2012-06-14, Alexander Hall <ha...@openbsd.org> wrote: > However, combining "Match Group ..." with "ForceCommand ..." would be my > first choice, but I have a perversion of wanting to use sshd for > everything. :-)
I think you're going to need something like that if you want to update system passwords in /etc/master.passwd; there used to be the option of putting them in a specific class and using auth=chpass in login.conf, but sshd doesn't work with interactive auth mechanisms (it can supply a single password and that's it). An alternative is to store password separately (ldap/radius/etc) and change them there, Roundcube's password-change plugin has support for a lot of methods (see /var/www/roundcubemail/plugins/password/README). Personally for accounts which should not have system access anyway, I'd probably stick them in LDAP or a SQL database and have Dovecot auth against that rather than using system passwords. (You could also dispense with system accounts completely if wanted and put them all under a "virtual mailbox" uid).
