ckpasswd



CKPASSWD(1)               InterNetNews Documentation               CKPASSWD(1)




NAME

       ckpasswd - nnrpd password authenticator


SYNOPSIS

       ckpasswd [-s] [-d database] [-f filename]


DESCRIPTION

       ckpasswd is the basic password authenticator for nnrpd, suitable for
       being run from an auth stanza in readers.conf(5).  See readers.conf(5)
       for more information on how to configure an nnrpd authenticator.

       ckpasswd accepts a username and password from nnrpd and tells nnrpd(8)
       whether that’s the correct password for that username.  By default,
       when given no arguments, it checks the password against the password
       field returned by getpwnam(3).  Note that these days most systems no
       longer make real passwords available via getpwnam(3) (some still do if
       and only if the program calling getpwnam(3) is running as root).

       Note that ckpasswd expects all passwords to be stored encrypted by the
       system crypt(3) function and calls crypt(3) on the supplied password
       before comparing it to the expected password.


OPTIONS

       -d database
           Read passwords from a database (ndbm or dbm format depending on
           what your system has) rather than by using getpwnam(3).  ckpasswd
           expects database.dir and database.pag to exist and to be a database
           keyed by username with the encrypted passwords as the values.

           While INN doesn’t come with a program intended specifically to cre-
           ate such databases, on most systems it’s fairly easy to write a
           Perl script to do so.  Something like:

               #!/usr/bin/perl
               use NDBM_File;
               use Fcntl;
               tie (%db, ’NDBM_File’, ’/path/to/database’, O_RDWR │ O_CREAT, 0640)
                   or die "Cannot open /path/to/database: $!\n";
               $│ = 1;
               print "Username: ";
               my $user = <STDIN>;
               chomp $user;
               print "Password: ";
               my $passwd = <STDIN>;
               chomp $passwd;
               my @alphabet = (’.’, ’/’, 0..9, ’A’..’Z’, ’a’..’z’);
               my $salt = join ’’, @alphabet[rand 64, rand 64];
               $db{$user} = crypt ($passwd, $salt);
               untie %db;

           Note that this will echo back the password when typed; there are
           obvious improvements that could be made to this, but it should be a
           reasonable start.

           This option will not be available on systems without dbm or ndbm
           libraries.

       -f filename
           Read passwords from the given file rather than using getpwnam(3).
           The file is expected to be formatted like a system password file,
           at leat vaguely.  That means each line should look something like:

               username:pdIh9NCNslkq6

           (and each line may have an additional colon after the encrypted
           password and additional data; that data will be ignored by
           ckpasswd).  INN does not come with a utility to create the
           encrypted passwords, but it’s a quick job with Perl (see the exam-
           ple script under -d).

       -s  Check passwords against the result of getspnam(3) instead of getpw-
           nam(3).  This function, on those systems that supports it, reads
           from /etc/shadow or similar more restricted files.  If you want to
           check passwords supplied to nnrpd(8) against system account pass-
           words, you will probably have to use this option on most systems.

           Most systems require special privileges to call getspnam(3), so in
           order to use this option you may need to make ckpasswd setgid to
           some group (like group "shadow") or even setuid root.  ckpasswd has
           not been specifically audited for such uses!  It is, however, a
           very small program that you should be able to check by hand for
           security.

           This configuration is not recommended if it can be avoided, since
           the NNTP protocol has no way of protecting passwords from casual
           interception, and using system passwords to authenticate NNTP con-
           nections therefore opens you up to the risk of password sniffing.
           If you do use system passwords to authenticate connections, you
           should seriously consider only doing NNTP through ssh tunnels or
           over SSL.


EXAMPLES

       See readers.conf(5) for examples of nnrpd(8) authentication configura-
       tion that uses ckpasswd to check passwords.


HISTORY

       Written by Russ Allbery <rra@stanford.edu> for InterNetNews.

       $Id: ckpasswd.1,v 1.1.2.1 2000/11/06 08:41:11 rra Exp $


SEE ALSO

       readers.conf(5), nnrpd(8)



3rd Berkeley Distribution           INN 2.3                        CKPASSWD(1)

Man(1) output converted with man2html