Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
CKPASSWD(8)		  InterNetNews Documentation		   CKPASSWD(8)

       ckpasswd	- nnrpd	password authenticator

       ckpasswd	[-gs] [-d database] [-f	filename] [-u username -p password]

       ckpasswd	is the basic password authenticator for	nnrpd, suitable	for
       being run from an auth stanza in	readers.conf.  See readers.conf(5) for
       more information	on how to configure an nnrpd authenticator.

       ckpasswd	accepts	a username and password	from nnrpd and tells nnrpd(8)
       whether that's the correct password for that username.  By default,
       when given no arguments,	it tries to check the password using PAM if
       support for PAM was found when INN was built.  Failing that, it tries
       to check	the password against the password field	returned by
       getpwnam(3).  Note that these days most systems no longer make real
       passwords available via getpwnam(3) (some still do if and only if the
       program calling getpwnam(3) is running as root).

       When using PAM, ckpasswd	identifies itself as "nnrpd", not as
       "ckpasswd", and the PAM configuration must be set up accordingly.  The
       details of PAM configuration are	different on different operating
       systems (and even different Linux distributions); see EXAMPLES below
       for help	getting	started, and look for a	pam(7) or pam.conf(4) manual
       page on your system.

       When using any method other than	PAM, ckpasswd expects all passwords to
       be stored encrypted by the system crypt(3) function and calls crypt(3)
       on the supplied password	before comparing it to the expected password.
       If you're using a different password hash scheme	(like MD5), you	must
       use PAM.

       -d database
	   Read	passwords from a database (ndbm, gdbm or dbm format depending
	   on what your	system has) rather than	by using getpwnam(3).
	   ckpasswd expects database.dir and database.pag to exist and to be a
	   database keyed by username with the encrypted passwords as the

	   While INN doesn't come with a program intended specifically to
	   create such databases, on most systems it's fairly easy to write a
	   Perl	script to do so.  Something like:

	       use NDBM_File;
	       use Fcntl;
	       tie (%db, 'NDBM_File', '/path/to/database', O_RDWR|O_CREAT, 0640)
		   or die "Cannot open /path/to/database: $!\n";
	       $| = 1;
	       print "Username:	";
	       my $user	= <STDIN>;
	       chomp $user;
	       print "Password:	";
	       my $passwd = <STDIN>;
	       chomp $passwd;
	       my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
	       my $salt	= join '', @alphabet[rand 64, rand 64];
	       $db{$user} = crypt ($passwd, $salt);
	       untie %db;

	   Note	that this will echo back the password when typed; there	are
	   obvious improvements	that could be made to this, but	it should be a
	   reasonable start.  Sometimes	a program like this will be available
	   with	the name dbmpasswd.

	   This	option will not	be available on	systems	without	ndbm, gdbm or
	   dbm libraries.

       -f filename
	   Read	passwords from the given file rather than using	getpwnam(3).
	   The file is expected	to be formatted	like a system password file,
	   at least vaguely.  That means each line should look something like:


	   (and	each line may have an additional colon after the encrypted
	   password and	additional data; that data will	be ignored by
	   ckpasswd).  Lines starting with a number sign ("#") are ignored.
	   INN does not	come with a utility to create the encrypted passwords,
	   but htpasswd	(which comes with Apache) can do so and	it's a quick
	   job with Perl (see the example script under -d, or also below).  If
	   using Apache's htpasswd program, be sure to give it the -d option
	   so that it will use crypt(3).

	   A line in filename for the user "user" with the password "pass"
	   would be "user:LIfOpbjNaEQYE" as obtained by	the following command:

	       % htpasswd -nbd user pass

	   In case htpasswd is not installed or	if you do not want to depend
	   on it, another command involving Perl does a	similar	job:

	       % perl -e 'print	"user:".crypt("pass", "LI")."\n";'

       -g  Attempt to look up system group corresponding to username and
	   return a string like	"user@group" to	be matched against in
	   readers.conf.  This option is incompatible with the -d and -f

       -p password
	   Use password	as the password	for authentication rather than reading
	   a password using the	nnrpd authenticator protocol.  This option is
	   useful only for testing your	authentication system (particularly
	   since it involves putting a password	on the command line), and does
	   not work when ckpasswd is run by nnrpd.  If this option is given,
	   -u must also	be given.

       -s  Check passwords against the result of getspnam(3) instead of
	   getpwnam(3).	 This function,	on those systems that supports it,
	   reads from /etc/shadow or similar more restricted files.  If	you
	   want	to check passwords supplied to nnrpd(8)	against	system account
	   passwords, you will probably	have to	use this option	on most

	   Most	systems	require	special	privileges to call getspnam(3),	so in
	   order to use	this option you	may need to make ckpasswd setgid to
	   some	group (like group "shadow") or even setuid root.  ckpasswd has
	   not been specifically audited for such uses!	 It is,	however, a
	   very	small program that you should be able to check by hand for

	   This	configuration is not recommended if it can be avoided, for
	   serious security reasons.  See "SECURITY CONSIDERATIONS" in
	   readers.conf(5) for discussion.

       -u username
	   Authenticate	as username.  This option is useful only for testing
	   (so that you	can test your authentication system easily) and	does
	   not work when ckpasswd is run by nnrpd.  If this option is given,
	   -p must also	be given.

       See readers.conf(5) for examples	of nnrpd(8) authentication
       configuration that uses ckpasswd	to check passwords.

       An example PAM configuration for	/etc/pam.conf that tells ckpasswd to
       check usernames and passwords against system accounts is:

	   nnrpd auth	 required
	   nnrpd account required

       Your system may want you	to instead create a file named nnrpd in
       /etc/pam.d with lines like:

	   auth	   required
	   account required

       This is only the	simplest configuration.	 You may be able to include
       common shared files, and	you may	want to	stack other modules, either to
       allow different authentication methods or to apply restrictions like
       lists of	users who can't	authenticate using ckpasswd.  The best guide
       is the documentation for	your system and	the other PAM configurations
       you're already using.

       To test to make sure that ckpasswd is working correctly,	you can	run it
       manually	and then give it the username (prefixed	with
       "ClientAuthname:") and password (prefixed with "ClientPassword:") on
       standard	input.	For example:

	   (echo 'ClientAuthname: test'	; echo 'ClientPassword:	testing') \
	       | ckpasswd -f /path/to/passwd/file

       will check a username of	"test" and a password of "testing" against the
       username	and passwords stored in	/path/to/passwd/file.  On success,
       ckpasswd	will print "User:test" and exit	with status 0.	On failure, it
       will print some sort of error message and exit a	non-zero status.

       Written by Russ Allbery <> for InterNetNews.

       $Id: ckpasswd.pod 9937 2015-09-02 12:44:39Z iulius $

       crypt(3), nnrpd(8), pam(7), readers.conf(5).

INN 2.6.3			  2015-09-12			   CKPASSWD(8)


Want to link to this manual page? Use this URL:

home | help