Provided by: inn2_2.4.2-3ubuntu1_i386 bug

NAME

       ckpasswd - nnrpd password authenticator

SYNOPSIS

       ckpasswd [-gs] [-d database] [-f filename] [-u username -p password]

DESCRIPTION

       ckpasswd is the basic password authenticator for nnrpd, suitable for
       being run from an auth stanza in readers.conf.  See readers.conf(5) for
       more information on how to configure an nnrpd authenticator.

       ckpasswd accepts a username and password from nnrpd and tells nnrpd(8)
       whether that’s the correct password for that username.  By default,
       when given no arguments, it tries to check the password using PAM if
       support for PAM was found when INN was built.  Failing that, it tries
       to check the password against the password field returned by
       getpwnam(3).  Note that these days most systems no longer make real
       passwords available via getpwnam(3) (some still do if and only if the
       program calling getpwnam(3) is running as root).

       Note that ckpasswd expects all passwords to be stored encrypted by the
       system crypt(3) function and calls crypt(3) on the supplied password
       before comparing it to the expected password (when using any method
       other than PAM).

OPTIONS

       -d database
           Read passwords from a database (ndbm or dbm format depending on
           what your system has) rather than by using getpwnam(3).  ckpasswd
           expects database.dir and database.pag to exist and to be a database
           keyed by username with the encrypted passwords as the values.

           While INN doesn’t come with a program intended specifically to
           create such databases, on most systems it’s fairly easy to write a
           Perl script to do so.  Something like:

               #!/usr/bin/perl
               use NDBM_File;
               use Fcntl;
               tie (%db, ’NDBM_File’, ’/path/to/database’, O_RDWR│O_CREAT, 0640)
                   or die "Cannot open /path/to/database: $!\n";
               $│ = 1;
               print "Username: ";
               my $user = <STDIN>;
               chomp $user;
               print "Password: ";
               my $passwd = <STDIN>;
               chomp $passwd;
               my @alphabet = (’.’, ’/’, 0..9, ’A’..’Z’, ’a’..’z’);
               my $salt = join ’’, @alphabet[rand 64, rand 64];
               $db{$user} = crypt ($passwd, $salt);
               untie %db;

           Note that this will echo back the password when typed; there are
           obvious improvements that could be made to this, but it should be a
           reasonable start.  Sometimes a program like this will be available
           with the name dbmpasswd.

           This option will not be available on systems without dbm or ndbm
           libraries.

       -f filename
           Read passwords from the given file rather than using getpwnam(3).
           The file is expected to be formatted like a system password file,
           at least vaguely.  That means each line should look something like:

               username:pdIh9NCNslkq6

           (and each line may have an additional colon after the encrypted
           password and additional data; that data will be ignored by
           ckpasswd).  Lines starting with a number sign (‘#’) are ignored.
           INN does not come with a utility to create the encrypted passwords,
           but htpasswd (which comes with Apache) can do so and it’s a quick
           job with Perl (see the example script under -d).  If using Apache’s
           htpasswd program, be sure to give it the -d option so that it will
           use crypt(3).

       -g  Attempt to look up system group corresponding to username and
           return a string like "user@group" to be matched against in
           readers.conf.  This option is incompatible with the -d and -f
           options.

       -p password
           Use password as the password for authentication rather than reading
           a password using the nnrpd authenticator protocol.  This option is
           useful only for testing your authentication system (particularly
           since it involves putting a password on the command line), and does
           not work when ckpasswd is run by nnrpd.  If this option is given,
           -u must also be given.

       -s  Check passwords against the result of getspnam(3) instead of
           getpwnam(3).  This function, on those systems that supports it,
           reads from /etc/shadow or similar more restricted files.  If you
           want to check passwords supplied to nnrpd(8) against system account
           passwords, you will probably have to use this option on most
           systems.

           Most systems require special privileges to call getspnam(3), so in
           order to use this option you may need to make ckpasswd setgid to
           some group (like group "shadow") or even setuid root.  ckpasswd has
           not been specifically audited for such uses!  It is, however, a
           very small program that you should be able to check by hand for
           security.

           This configuration is not recommended if it can be avoided, for
           serious security reasons.  See "SECURITY CONSIDERATIONS" in
           readers.conf(5) for discussion.

       -u username
           Authenticate as username.  This option is useful only for testing
           (so that you can test your authentication system easily) and does
           not work when ckpasswd is run by nnrpd.  If this option is given,
           -p must also be given.

EXAMPLES

       See readers.conf(5) for examples of nnrpd(8) authentication
       configuration that uses ckpasswd to check passwords.

       To test to make sure that ckpasswd is working correctly, you can run it
       manually and then give it the username (prefixed with
       "ClientAuthname:") and password (prefixed with "ClientPassword:") on
       standard input.  For example:

           (echo ’ClientAuthname: test’ ; echo ’ClientPassword: testing’) \
               │ ckpasswd -f /path/to/passwd/file

       will check a username of "test" and a password of "testing" against the
       username and passwords stored in /path/to/passwd/file.  On success,
       ckpasswd will print "User:test" and exit with status 0.  On failure, it
       will print some sort of error message and exit a non-zero status.

HISTORY

       Written by Russ Allbery <rra@stanford.edu> for InterNetNews.

       $Id: ckpasswd.8,v 1.2.2.2 2003/08/08 22:02:42 vinocur Exp $

SEE ALSO

       readers.conf(5), nnrpd(8)