1CKPASSWD(8) InterNetNews Documentation CKPASSWD(8)
2
6 ckpasswd - nnrpd password authenticator
7
9 ckpasswd [-gs] [-d database] [-f filename] [-u username -p password]
10
12 ckpasswd is the basic password authenticator for nnrpd, suitable for
13 being run from an auth stanza in readers.conf. See readers.conf(5) for
14 more information on how to configure an nnrpd authenticator.
15 ckpasswd accepts a username and password from nnrpd and tells nnrpd(8)
17 whether that's the correct password for that username. By default,
18 when given no arguments, it tries to check the password using PAM if
19 support for PAM was found when INN was built. Failing that, it tries
20 to check the password against the password field returned by getpw‐
21 nam(3). Note that these days most systems no longer make real pass‐
22 words available via getpwnam(3) (some still do if and only if the pro‐
23 gram calling getpwnam(3) is running as root).
24 When using PAM, ckpasswd identifies itself as "nnrpd", not as
26 "ckpasswd", and the PAM configuration must be set up accordingly. The
27 details of PAM configuration are different on different operating sys‐
28 tems (and even different Linux distributions); see EXAMPLES below for
29 help getting started, and look for a pam(7) or pam.conf(4) manual page
30 on your system.
31 When using any method other than PAM, ckpasswd expects all passwords to
33 be stored encrypted by the system crypt(3) function and calls crypt(3)
34 on the supplied password before comparing it to the expected password.
35 IF you're using a different password hash scheme (like MD5), you must
36 use PAM.
37
39 -d database
40 Read passwords from a database (ndbm or dbm format depending on
41 what your system has) rather than by using getpwnam(3). ckpasswd
42 expects database.dir and database.pag to exist and to be a database
43 keyed by username with the encrypted passwords as the values.
44 While INN doesn't come with a program intended specifically to cre‐
46 ate such databases, on most systems it's fairly easy to write a
47 Perl script to do so. Something like:
48 #!/usr/bin/perl
50 use NDBM_File;
51 use Fcntl;
52 tie (%db, 'NDBM_File', '/path/to/database', O_RDWR⎪O_CREAT, 0640)
53 or die "Cannot open /path/to/database: $!\n";
54 $⎪ = 1;
55 print "Username: ";
56 my $user = <STDIN>;
57 chomp $user;
58 print "Password: ";
59 my $passwd = <STDIN>;
60 chomp $passwd;
61 my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
62 my $salt = join '', @alphabet[rand 64, rand 64];
63 $db{$user} = crypt ($passwd, $salt);
64 untie %db;
65 Note that this will echo back the password when typed; there are
67 obvious improvements that could be made to this, but it should be a
68 reasonable start. Sometimes a program like this will be available
69 with the name dbmpasswd.
70 This option will not be available on systems without dbm or ndbm
72 libraries.
73 -f filename
75 Read passwords from the given file rather than using getpwnam(3).
76 The file is expected to be formatted like a system password file,
77 at least vaguely. That means each line should look something like:
78 username:pdIh9NCNslkq6
80 (and each line may have an additional colon after the encrypted
82 password and additional data; that data will be ignored by
83 ckpasswd). Lines starting with a number sign (`#') are ignored.
84 INN does not come with a utility to create the encrypted passwords,
85 but htpasswd (which comes with Apache) can do so and it's a quick
86 job with Perl (see the example script under -d). If using Apache's
87 htpasswd program, be sure to give it the -d option so that it will
88 use crypt(3).
89 -g Attempt to look up system group corresponding to username and
91 return a string like "user@group" to be matched against in read‐
92 ers.conf. This option is incompatible with the -d and -f options.
93 -p password
95 Use password as the password for authentication rather than reading
96 a password using the nnrpd authenticator protocol. This option is
97 useful only for testing your authentication system (particularly
98 since it involves putting a password on the command line), and does
99 not work when ckpasswd is run by nnrpd. If this option is given,
100 -u must also be given.
101 -s Check passwords against the result of getspnam(3) instead of getpw‐
103 nam(3). This function, on those systems that supports it, reads
104 from /etc/shadow or similar more restricted files. If you want to
105 check passwords supplied to nnrpd(8) against system account pass‐
106 words, you will probably have to use this option on most systems.
107 Most systems require special privileges to call getspnam(3), so in
109 order to use this option you may need to make ckpasswd setgid to
110 some group (like group "shadow") or even setuid root. ckpasswd has
111 not been specifically audited for such uses! It is, however, a
112 very small program that you should be able to check by hand for
113 security.
114 This configuration is not recommended if it can be avoided, for
116 serious security reasons. See "SECURITY CONSIDERATIONS" in read‐
117 ers.conf(5) for discussion.
118 -u username
120 Authenticate as username. This option is useful only for testing
121 (so that you can test your authentication system easily) and does
122 not work when ckpasswd is run by nnrpd. If this option is given,
123 -p must also be given.
124
126 See readers.conf(5) for examples of nnrpd(8) authentication configura‐
127 tion that uses ckpasswd to check passwords.
128 An example PAM configuration for /etc/pam.conf that tells ckpasswd to
130 check usernames and passwords against system accounts is:
131 nnrpd auth required pam_unix.so
133 nnrpd account required pam_unix.so
134 Your system may want you to instead create a file named nnrpd in
136 /etc/pam.d with lines like:
137 auth required pam_unix.so
139 account required pam_unix.so
140 This is only the simplest configuration. You may be able to include
142 common shared files, and you may want to stack other modules, either to
143 allow different authentication methods or to apply restrictions like
144 lists of users who can't authenticate using ckpasswd. The best guide
145 is the documentation for your system and the other PAM configurations
146 you're already using.
147 To test to make sure that ckpasswd is working correctly, you can run it
149 manually and then give it the username (prefixed with "ClientAuth‐
150 name:") and password (prefixed with "ClientPassword:") on standard
151 input. For example:
152 (echo 'ClientAuthname: test' ; echo 'ClientPassword: testing') \
154 ⎪ ckpasswd -f /path/to/passwd/file
155 will check a username of "test" and a password of "testing" against the
157 username and passwords stored in /path/to/passwd/file. On success,
158 ckpasswd will print "User:test" and exit with status 0. On failure, it
159 will print some sort of error message and exit a non-zero status.
160
162 Written by Russ Allbery <rra@stanford.edu> for InterNetNews.
163 $Id: ckpasswd.8 7215 2005-04-11 20:43:21Z rra $
165
167 readers.conf(5), nnrpd(8)
168 Linux users who want to use PAM should read the Linux-PAM System Admin‐
170 istrator's Guide at <http://www.ker‐
171 nel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html>.
172INN 2.4.3 2005-04-11 CKPASSWD(8)