Read passwords from a database (ndbm, gdbm or dbm format depending on
what your system has) rather than by using getpwnam(3). ckpasswd
expects database.dir and database.pag to exist and to be a database
keyed by username with the encrypted passwords as the values.
While INN doesnt come with a program intended specifically to create such databases, on most systems its fairly easy to write a Perl script to do so. Something like:
Note that this will echo back the password when typed; there are obvious improvements that could be made to this, but it should be a reasonable start. Sometimes a program like this will be available with the name dbmpasswd.
This option will not be available on systems without ndbm, gdbm or dbm libraries.
Read passwords from the given file rather than using getpwnam(3). The
file is expected to be formatted like a system password file, at least
vaguely. That means each line should look something like:
(and each line may have an additional colon after the encrypted password and additional data; that data will be ignored by ckpasswd). Lines starting with a number sign (#) are ignored. INN does not come with a utility to create the encrypted passwords, but htpasswd (which comes with Apache) can do so and its a quick job with Perl (see the example script under -d, or also below). If using Apaches htpasswd program, be sure to give it the -d option so that it will use crypt(3).
A line in filename for the user user with the password pass would be user:LIfOpbjNaEQYE as obtained by the following command:
In case htpasswd is not installed or if you do not want to depend on it, another command involving Perl does a similar job:
|-g||Attempt to look up system group corresponding to username and return a string like user@group to be matched against in readers.conf. This option is incompatible with the -d and -f options.|
|-p password||Use password as the password for authentication rather than reading a password using the nnrpd authenticator protocol. This option is useful only for testing your authentication system (particularly since it involves putting a password on the command line), and does not work when ckpasswd is run by nnrpd. If this option is given, -u must also be given.|
Check passwords against the result of getspnam(3) instead of getpwnam(3).
This function, on those systems that supports it, reads from /etc/shadow
or similar more restricted files. If you want to check passwords supplied
to nnrpd(8) against system account passwords, you will probably have to
use this option on most systems.
Most systems require special privileges to call getspnam(3), so in order to use this option you may need to make ckpasswd setgid to some group (like group shadow) or even setuid root. ckpasswd has not been specifically audited for such uses! It is, however, a very small program that you should be able to check by hand for security.
This configuration is not recommended if it can be avoided, for serious security reasons. See SECURITY CONSIDERATIONS in readers.conf(5) for discussion.
|-u username||Authenticate as username. This option is useful only for testing (so that you can test your authentication system easily) and does not work when ckpasswd is run by nnrpd. If this option is given, -p must also be given.|
See readers.conf(5) for examples of nnrpd(8) authentication configuration that uses ckpasswd to check passwords.
An example PAM configuration for /etc/pam.conf that tells ckpasswd to check usernames and passwords against system accounts is:
nnrpd auth required pam_unix.so nnrpd account required pam_unix.so
Your system may want you to instead create a file named nnrpd in /etc/pam.d with lines like:
auth required pam_unix.so account required pam_unix.so
This is only the simplest configuration. You may be able to include common shared files, and you may want to stack other modules, either to allow different authentication methods or to apply restrictions like lists of users who cant authenticate using ckpasswd. The best guide is the documentation for your system and the other PAM configurations youre already using.
To test to make sure that ckpasswd is working correctly, you can run it manually and then give it the username (prefixed with ClientAuthname:) and password (prefixed with ClientPassword:) on standard input. For example:
(echo ClientAuthname: test ; echo ClientPassword: testing) \ | ckpasswd -f /path/to/passwd/file
will check a username of test and a password of testing against the username and passwords stored in /path/to/passwd/file. On success, ckpasswd will print User:test and exit with status 0. On failure, it will print some sort of error message and exit a non-zero status.
Written by Russ Allbery <email@example.com> for InterNetNews.
$Id: ckpasswd.pod 9937 2015-09-02 12:44:39Z iulius $
crypt(3), nnrpd(8), pam(7), readers.conf(5).
|INN 2.6.0||CKPASSWD (8)||2015-09-12|