1CKPASSWD(8) InterNetNews Documentation CKPASSWD(8)
2
3
4
6 ckpasswd - nnrpd password authenticator
7
9 ckpasswd [-gs] [-d database] [-f filename] [-u username -p password]
10
12 ckpasswd is the basic password authenticator for nnrpd, suitable for
13 being run from an auth stanza in readers.conf. See readers.conf(5) for
14 more information on how to configure an nnrpd authenticator.
15
16 ckpasswd accepts a username and password from nnrpd and tells nnrpd(8)
17 whether that's the correct password for that username. By default,
18 when given no arguments, it tries to check the password using PAM if
19 support for PAM was found when INN was built. Failing that, it tries
20 to check the password against the password field returned by
21 getpwnam(3). Note that these days most systems no longer make real
22 passwords available via getpwnam(3) (some still do if and only if the
23 program calling getpwnam(3) is running as root).
24
25 When using PAM, ckpasswd identifies itself as "nnrpd", not as
26 "ckpasswd", and the PAM configuration must be set up accordingly. The
27 details of PAM configuration are different on different operating
28 systems (and even different Linux distributions); see EXAMPLES below
29 for help getting started, and look for a pam(7) or pam.conf(4) manual
30 page on your system.
31
32 When using any method other than PAM, ckpasswd expects all passwords to
33 be stored encrypted by the system crypt(3) function and calls crypt(3)
34 on the supplied password before comparing it to the expected password.
35 If you're using a different password hash scheme (like MD5), you must
36 use PAM.
37
39 -d database
40 Read passwords from a database (ndbm, gdbm or dbm format depending
41 on what your system has) rather than by using getpwnam(3).
42 ckpasswd expects database.dir and database.pag to exist and to be a
43 database keyed by username with the encrypted passwords as the
44 values.
45
46 While INN doesn't come with a program intended specifically to
47 create such databases, on most systems it's fairly easy to write a
48 Perl script to do so. Something like:
49
50 #!/usr/bin/perl
51 use NDBM_File;
52 use Fcntl;
53 tie (%db, 'NDBM_File', '/path/to/database', O_RDWR|O_CREAT, 0640)
54 or die "Cannot open /path/to/database: $!\n";
55 $| = 1;
56 print "Username: ";
57 my $user = <STDIN>;
58 chomp $user;
59 print "Password: ";
60 my $passwd = <STDIN>;
61 chomp $passwd;
62 my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
63 my $salt = join '', @alphabet[rand 64, rand 64];
64 $db{$user} = crypt ($passwd, $salt);
65 untie %db;
66
67 Note that this will echo back the password when typed; there are
68 obvious improvements that could be made to this, but it should be a
69 reasonable start. Sometimes a program like this will be available
70 with the name dbmpasswd.
71
72 This option will not be available on systems without ndbm, gdbm or
73 dbm libraries.
74
75 -f filename
76 Read passwords from the given file rather than using getpwnam(3).
77 The file is expected to be formatted like a system password file,
78 at least vaguely. That means each line should look something like:
79
80 username:pdIh9NCNslkq6
81
82 (and each line may have an additional colon after the encrypted
83 password and additional data; that data will be ignored by
84 ckpasswd). Lines starting with a number sign ("#") are ignored.
85 INN does not come with a utility to create the encrypted passwords,
86 but htpasswd (which comes with Apache) can do so and it's a quick
87 job with Perl (see the example script under -d, or also below). If
88 using Apache's htpasswd program, be sure to give it the -d option
89 so that it will use crypt(3).
90
91 A line in filename for the user "user" with the password "pass"
92 would be "user:LIfOpbjNaEQYE" as obtained by the following command:
93
94 % htpasswd -nbd user pass
95 user:LIfOpbjNaEQYE
96
97 In case htpasswd is not installed or if you do not want to depend
98 on it, another command involving Perl does a similar job:
99
100 % perl -e 'print "user:".crypt("pass", "LI")."\n";'
101 user:LIfOpbjNaEQYE
102
103 -g Attempt to look up system group corresponding to username and
104 return a string like "user@group" to be matched against in
105 readers.conf. This option is incompatible with the -d and -f
106 options.
107
108 -p password
109 Use password as the password for authentication rather than reading
110 a password using the nnrpd authenticator protocol. This option is
111 useful only for testing your authentication system (particularly
112 since it involves putting a password on the command line), and does
113 not work when ckpasswd is run by nnrpd. If this option is given,
114 -u must also be given.
115
116 -s Check passwords against the result of getspnam(3) instead of
117 getpwnam(3). This function, on those systems that supports it,
118 reads from /etc/shadow or similar more restricted files. If you
119 want to check passwords supplied to nnrpd(8) against system account
120 passwords, you will probably have to use this option on most
121 systems.
122
123 Most systems require special privileges to call getspnam(3), so in
124 order to use this option you may need to make ckpasswd setgid to
125 some group (like group "shadow") or even setuid root. ckpasswd has
126 not been specifically audited for such uses! It is, however, a
127 very small program that you should be able to check by hand for
128 security.
129
130 This configuration is not recommended if it can be avoided, for
131 serious security reasons. See "SECURITY CONSIDERATIONS" in
132 readers.conf(5) for discussion.
133
134 -u username
135 Authenticate as username. This option is useful only for testing
136 (so that you can test your authentication system easily) and does
137 not work when ckpasswd is run by nnrpd. If this option is given,
138 -p must also be given.
139
141 See readers.conf(5) for examples of nnrpd(8) authentication
142 configuration that uses ckpasswd to check passwords.
143
144 An example PAM configuration for /etc/pam.conf that tells ckpasswd to
145 check usernames and passwords against system accounts is:
146
147 nnrpd auth required pam_unix.so
148 nnrpd account required pam_unix.so
149
150 Your system may want you to instead create a file named nnrpd in
151 /etc/pam.d with lines like:
152
153 auth required pam_unix.so
154 account required pam_unix.so
155
156 This is only the simplest configuration. You may be able to include
157 common shared files, and you may want to stack other modules, either to
158 allow different authentication methods or to apply restrictions like
159 lists of users who can't authenticate using ckpasswd. The best guide
160 is the documentation for your system and the other PAM configurations
161 you're already using.
162
163 To test to make sure that ckpasswd is working correctly, you can run it
164 manually and then give it the username (prefixed with
165 "ClientAuthname:") and password (prefixed with "ClientPassword:") on
166 standard input. For example:
167
168 (echo 'ClientAuthname: test' ; echo 'ClientPassword: testing') \
169 | ckpasswd -f /path/to/passwd/file
170
171 will check a username of "test" and a password of "testing" against the
172 username and passwords stored in /path/to/passwd/file. On success,
173 ckpasswd will print "User:test" and exit with status 0. On failure, it
174 will print some sort of error message and exit a non-zero status.
175
177 Written by Russ Allbery <eagle@eyrie.org> for InterNetNews.
178
179 $Id: ckpasswd.pod 9937 2015-09-02 12:44:39Z iulius $
180
182 crypt(3), nnrpd(8), pam(7), readers.conf(5).
183
184
185
186INN 2.6.4 2015-09-12 CKPASSWD(8)