1CKPASSWD(8) InterNetNews Documentation CKPASSWD(8)
2
6 ckpasswd - nnrpd password authenticator
7
9 ckpasswd [-gs] [-d database] [-f filename] [-u username -p password]
10
12 ckpasswd is the basic password authenticator for nnrpd, suitable for
13 being run from an auth stanza in readers.conf. See readers.conf(5) for
14 more information on how to configure an nnrpd authenticator.
15 ckpasswd accepts a username and password from nnrpd and tells nnrpd(8)
17 whether that's the correct password for that username. By default,
18 when given no arguments, it tries to check the password using PAM if
19 support for PAM was found when INN was built. Failing that, it tries
20 to check the password against the password field returned by
21 getpwnam(3). Note that these days most systems no longer make real
22 passwords available via getpwnam(3) (some still do if and only if the
23 program calling getpwnam(3) is running as root).
24 When using PAM, ckpasswd identifies itself as "nnrpd", not as
26 "ckpasswd", and the PAM configuration must be set up accordingly. The
27 details of PAM configuration are different on different operating
28 systems (and even different Linux distributions); see "EXAMPLES" below
29 for help getting started, and look for a pam(7) or pam.conf(4) manual
30 page on your system.
31 When using any method other than PAM, ckpasswd expects all passwords to
33 be stored encrypted by the system crypt(3) function and calls crypt(3)
34 on the supplied password before comparing it to the expected password.
35 Any password hashing algorithm supported by your libc or libcrypt can
36 be used.
37
39 -d database
40 Read passwords from a database (ndbm, gdbm or dbm format depending
41 on what your system has) rather than by using getpwnam(3).
42 ckpasswd expects database.dir and database.pag to exist and to be a
43 database keyed by username with the encrypted passwords as the
44 values.
45 While INN doesn't come with a program intended specifically to
47 create such databases, on most systems it's fairly easy to write a
48 Perl script to do so. Something like:
49 #!/usr/bin/perl
51 use NDBM_File;
52 use Fcntl;
53 tie (%db, 'NDBM_File', '/path/to/database', O_RDWR|O_CREAT, 0640)
54 or die "Cannot open /path/to/database: $!\n";
55 $| = 1;
56 print "Username: ";
57 my $user = <STDIN>;
58 chomp $user;
59 print "Password: ";
60 my $passwd = <STDIN>;
61 chomp $passwd;
62 my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
63 my $salt = join '', @alphabet[rand 64, rand 64];
64 $db{$user} = crypt ($passwd, $salt);
65 untie %db;
66 Note that this will echo back the password when typed; there are
68 obvious improvements that could be made to this, but it should be a
69 reasonable start. Sometimes a program like this will be available
70 with the name dbmpasswd.
71 This option will not be available on systems without ndbm, gdbm or
73 dbm libraries.
74 -f filename
76 Read passwords from the given file rather than using getpwnam(3).
77 Each line of the file should look something like:
78 username:$5$Hlb2yXPd$2nOO/QR9P1mnRFr/i6L9ybxbgSDXd4UlatKqbcY4eoB
80 joe:FCjOJnpOo50IE:Old weak hash algorithm used for Joe
81 Each line has at least two fields separated by a colon. The first
83 field contains the username; the second field contains a password
84 hashed with the crypt(3) function. Additional colons and data may
85 appear after the encrypted password; that data will be ignored by
86 ckpasswd. Lines starting with a number sign ("#") are ignored.
87 INN does not come with a utility to create the encrypted passwords,
89 but OpenSSL can do so and it's also a quick job with Perl (see the
90 one-line example script below).
91 A line in filename for the user "user" with the password "pass"
93 would be "user:" followed with the output of the following command
94 using SHA-256 as hashing scheme:
95 % openssl passwd -5 pass
97 $5$UIhtJSBOaC0Ap3Vk$nbKgmykshoQ2HmvA3s/nI.X4uhhNHBKTYhBS3pYLjJ6
98 See the openssl-passwd(1) man page for the list of hashing schemes
100 it can generate. You must take one that your system crypt(3)
101 function handles (type "man 3 crypt" or "man 5 crypt" to find the
102 supported hashing schemes).
103 In case OpenSSL is not installed on your server, you can also use
105 the following Perl command which does the same job with SHA-256
106 (see details below to set "YourSalt" to an appropriate value; 5 is
107 the prefix for SHA-256, which does not expect any parameters):
108 % perl -le 'print crypt("pass", q{$5$YourSalt$})'
110 $5$YourSalt$V5hqwFg1nhKb5as6md9KTe5b2NyavsMS6dBYVKfp5W7
111 As Perl makes use of crypt(3), you have access to all available
113 hashing schemes on your systems. For instance, if yescript is
114 supported, you can generate an encrypted password with an argument
115 like "$y$j9T$YourSalt$" to Perl crypt function, where "y" is the
116 prefix for yescript, "j9T" the parameters passed to
117 crypt_gensalt(3) to generate the hashed password (these parameters
118 control the yescript configuration, and correspond in this example
119 to the "YESCRYPT_DEFAULTS" flag, the recommended flavor which has
120 "j" value in 2023, with cost factor of 4096 as block count and 32
121 as block size) and "YourSalt" a string which should be chosen at
122 random and different for each user. The syntax and optimal length
123 of the salt depend on the hashing scheme (e.g. a length multiple of
124 4 for yescript) and cryptographic recommendations (e.g. at least 32
125 random bits in length, following NIST SP 800-63B recommendations in
126 2023).
127 To put it in a nutshell, in the following command, you only have to
129 change the password "pass" and the "YourSalt" random string,
130 different for each user, and leave the rest of the command as-is:
131 % perl -le 'print crypt("pass", q{$y$j9T$YourSalt$})'
133 $y$j9T$YourSalt$X4tB48vKNDT6mK0vNOc7ppKPWvEsyMg5LwoQfO50r2A
134 A random salt of 12 characters can be obtained with the following
136 command (the result corresponds to 72 random bits as each character
137 is selected in a 6-bit range of 64 possible characters):
138 % perl -le 'print join("",
140 (".", "/", 0..9, A..Z, a..z)[map {rand 64} (1..12)])'
141 k2W/17eJu58r
142 -g Attempt to look up system group corresponding to username and
144 return a string like "user@group" to be matched against in
145 readers.conf. This option is incompatible with the -d and -f
146 options.
147 -p password
149 Use password as the password for authentication rather than reading
150 a password using the nnrpd authenticator protocol. This option is
151 useful only for testing your authentication system (particularly
152 since it involves putting a password on the command line), and does
153 not work when ckpasswd is run by nnrpd. If this option is given,
154 -u must also be given.
155 -s Check passwords against the result of getspnam(3) instead of
157 getpwnam(3). This function, on those systems that supports it,
158 reads from /etc/shadow or similar more restricted files. If you
159 want to check passwords supplied to nnrpd(8) against system account
160 passwords, you will probably have to use this option on most
161 systems.
162 Most systems require special privileges to call getspnam(3), so in
164 order to use this option you may need to make ckpasswd setgid to
165 some group (like group "shadow") or even setuid root. ckpasswd has
166 not been specifically audited for such uses! It is, however, a
167 very small program that you should be able to check by hand for
168 security.
169 This configuration is not recommended if it can be avoided, for
171 serious security reasons. See "SECURITY CONSIDERATIONS" in
172 readers.conf(5) for discussion.
173 -u username
175 Authenticate as username. This option is useful only for testing
176 (so that you can test your authentication system easily) and does
177 not work when ckpasswd is run by nnrpd. If this option is given,
178 -p must also be given.
179
181 See readers.conf(5) for examples of nnrpd(8) authentication
182 configuration that uses ckpasswd to check passwords.
183 An example PAM configuration for /etc/pam.conf that tells ckpasswd to
185 check usernames and passwords against system accounts is:
186 nnrpd auth required pam_unix.so
188 nnrpd account required pam_unix.so
189 Your system may want you to instead create a file named nnrpd in
191 /etc/pam.d with lines like:
192 auth required pam_unix.so
194 account required pam_unix.so
195 This is only the simplest configuration. You may be able to include
197 common shared files, and you may want to stack other modules, either to
198 allow different authentication methods or to apply restrictions like
199 lists of users who can't authenticate using ckpasswd. The best guide
200 is the documentation for your system and the other PAM configurations
201 you're already using.
202 To test to make sure that ckpasswd is working correctly, you can run it
204 manually and then give it the username (prefixed with
205 "ClientAuthname:") and password (prefixed with "ClientPassword:") on
206 standard input. For example:
207 (echo 'ClientAuthname: test' ; echo 'ClientPassword: testing') \
209 | ckpasswd -f /path/to/passwd/file
210 will check a username of "test" and a password of "testing" against the
212 username and passwords stored in /path/to/passwd/file. On success,
213 ckpasswd will print "User:test" and exit with status 0. On failure, it
214 will print some sort of error message and exit a non-zero status.
215
217 Written by Russ Allbery <eagle@eyrie.org> for InterNetNews.
218
220 crypt(3), nnrpd(8), pam(7), readers.conf(5).
221INN 2.7.1 2023-03-07 CKPASSWD(8)