1CKPASSWD(8)               InterNetNews Documentation               CKPASSWD(8)
2
3
4

NAME

6       ckpasswd - nnrpd password authenticator
7

SYNOPSIS

9       ckpasswd [-gs] [-d database] [-f filename] [-u username -p password]
10

DESCRIPTION

12       ckpasswd is the basic password authenticator for nnrpd, suitable for
13       being run from an auth stanza in readers.conf.  See readers.conf(5) for
14       more information on how to configure an nnrpd authenticator.
15
16       ckpasswd accepts a username and password from nnrpd and tells nnrpd(8)
17       whether that's the correct password for that username.  By default,
18       when given no arguments, it tries to check the password using PAM if
19       support for PAM was found when INN was built.  Failing that, it tries
20       to check the password against the password field returned by
21       getpwnam(3).  Note that these days most systems no longer make real
22       passwords available via getpwnam(3) (some still do if and only if the
23       program calling getpwnam(3) is running as root).
24
25       When using PAM, ckpasswd identifies itself as "nnrpd", not as
26       "ckpasswd", and the PAM configuration must be set up accordingly.  The
27       details of PAM configuration are different on different operating
28       systems (and even different Linux distributions); see EXAMPLES below
29       for help getting started, and look for a pam(7) or pam.conf(4) manual
30       page on your system.
31
32       When using any method other than PAM, ckpasswd expects all passwords to
33       be stored encrypted by the system crypt(3) function and calls crypt(3)
34       on the supplied password before comparing it to the expected password.
35       If you're using a different password hash scheme (like MD5), you must
36       use PAM.
37

OPTIONS

39       -d database
40           Read passwords from a database (ndbm, gdbm or dbm format depending
41           on what your system has) rather than by using getpwnam(3).
42           ckpasswd expects database.dir and database.pag to exist and to be a
43           database keyed by username with the encrypted passwords as the
44           values.
45
46           While INN doesn't come with a program intended specifically to
47           create such databases, on most systems it's fairly easy to write a
48           Perl script to do so.  Something like:
49
50               #!/usr/bin/perl
51               use NDBM_File;
52               use Fcntl;
53               tie (%db, 'NDBM_File', '/path/to/database', O_RDWR|O_CREAT, 0640)
54                   or die "Cannot open /path/to/database: $!\n";
55               $| = 1;
56               print "Username: ";
57               my $user = <STDIN>;
58               chomp $user;
59               print "Password: ";
60               my $passwd = <STDIN>;
61               chomp $passwd;
62               my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
63               my $salt = join '', @alphabet[rand 64, rand 64];
64               $db{$user} = crypt ($passwd, $salt);
65               untie %db;
66
67           Note that this will echo back the password when typed; there are
68           obvious improvements that could be made to this, but it should be a
69           reasonable start.  Sometimes a program like this will be available
70           with the name dbmpasswd.
71
72           This option will not be available on systems without ndbm, gdbm or
73           dbm libraries.
74
75       -f filename
76           Read passwords from the given file rather than using getpwnam(3).
77           The file is expected to be formatted like a system password file,
78           at least vaguely.  That means each line should look something like:
79
80               username:pdIh9NCNslkq6
81
82           (and each line may have an additional colon after the encrypted
83           password and additional data; that data will be ignored by
84           ckpasswd).  Lines starting with a number sign ("#") are ignored.
85           INN does not come with a utility to create the encrypted passwords,
86           but htpasswd (which comes with Apache) can do so and it's a quick
87           job with Perl (see the one-line example script below).
88
89           A line in filename for the user "user" with the password "pass"
90           would be "user:LIfOpbjNaEQYE" as obtained with the following
91           command:
92
93               % htpasswd -nbd user pass
94               user:LIfOpbjNaEQYE
95
96           In case htpasswd is not installed on your server, just use the
97           following Perl command which does the same job:
98
99               % perl -e 'print "user:".crypt("pass", "LI")."\n";'
100               user:LIfOpbjNaEQYE
101
102       -g  Attempt to look up system group corresponding to username and
103           return a string like "user@group" to be matched against in
104           readers.conf.  This option is incompatible with the -d and -f
105           options.
106
107       -p password
108           Use password as the password for authentication rather than reading
109           a password using the nnrpd authenticator protocol.  This option is
110           useful only for testing your authentication system (particularly
111           since it involves putting a password on the command line), and does
112           not work when ckpasswd is run by nnrpd.  If this option is given,
113           -u must also be given.
114
115       -s  Check passwords against the result of getspnam(3) instead of
116           getpwnam(3).  This function, on those systems that supports it,
117           reads from /etc/shadow or similar more restricted files.  If you
118           want to check passwords supplied to nnrpd(8) against system account
119           passwords, you will probably have to use this option on most
120           systems.
121
122           Most systems require special privileges to call getspnam(3), so in
123           order to use this option you may need to make ckpasswd setgid to
124           some group (like group "shadow") or even setuid root.  ckpasswd has
125           not been specifically audited for such uses!  It is, however, a
126           very small program that you should be able to check by hand for
127           security.
128
129           This configuration is not recommended if it can be avoided, for
130           serious security reasons.  See "SECURITY CONSIDERATIONS" in
131           readers.conf(5) for discussion.
132
133       -u username
134           Authenticate as username.  This option is useful only for testing
135           (so that you can test your authentication system easily) and does
136           not work when ckpasswd is run by nnrpd.  If this option is given,
137           -p must also be given.
138

EXAMPLES

140       See readers.conf(5) for examples of nnrpd(8) authentication
141       configuration that uses ckpasswd to check passwords.
142
143       An example PAM configuration for /etc/pam.conf that tells ckpasswd to
144       check usernames and passwords against system accounts is:
145
146           nnrpd auth    required pam_unix.so
147           nnrpd account required pam_unix.so
148
149       Your system may want you to instead create a file named nnrpd in
150       /etc/pam.d with lines like:
151
152           auth    required pam_unix.so
153           account required pam_unix.so
154
155       This is only the simplest configuration.  You may be able to include
156       common shared files, and you may want to stack other modules, either to
157       allow different authentication methods or to apply restrictions like
158       lists of users who can't authenticate using ckpasswd.  The best guide
159       is the documentation for your system and the other PAM configurations
160       you're already using.
161
162       To test to make sure that ckpasswd is working correctly, you can run it
163       manually and then give it the username (prefixed with
164       "ClientAuthname:") and password (prefixed with "ClientPassword:") on
165       standard input.  For example:
166
167           (echo 'ClientAuthname: test' ; echo 'ClientPassword: testing') \
168               | ckpasswd -f /path/to/passwd/file
169
170       will check a username of "test" and a password of "testing" against the
171       username and passwords stored in /path/to/passwd/file.  On success,
172       ckpasswd will print "User:test" and exit with status 0.  On failure, it
173       will print some sort of error message and exit a non-zero status.
174

HISTORY

176       Written by Russ Allbery <eagle@eyrie.org> for InterNetNews.
177

SEE ALSO

179       crypt(3), nnrpd(8), pam(7), readers.conf(5).
180
181
182
183INN 2.7.0                         2022-07-10                       CKPASSWD(8)
Impressum