ckpasswd -f database creation utility?

Russ Allbery rra at stanford.edu
Mon Nov 20 00:14:44 UTC 2000 

David Sargeant <david_sargeant at hplx.net> writes:

> I've looked in the archives, but haven't seen the answer to my question
> ... I've just upgraded my local-only news server to INN 2.3.0 from 2.2
> (running on a Red Hat 6.2 Linux server), and now have to change my
> nnrp.access security over to readers.conf.  I'm having a lot of problems
> with that, but my first question is, what utility (or utilities) do I
> use to create encrypted passwords for the passwords file that ckpasswd
> -f seems to want, and where can I get the utility(s)?  I have two
> requirements, first batch converting all the existing users in the
> nnrp.access file, then adding users on the fly from an automatic utility
> -- i.e., one that takes a username and password as input (probably from
> a web form) and runs the program to add that username and encrypted
> password to the news user password file.  Oh, and I want to use a
> separate password file (possibly several separate password files) from
> the system passwd and shadow files, since my news server users don't
> correspond at all to my system users.

Attached is the new man page for ckpasswd that will be in 2.3.1.  This
should help.

NAME
    ckpasswd - nnrpd password authenticator

SYNOPSIS
    ckpasswd [-s] [-d *database*] [-f *filename*]

DESCRIPTION
    ckpasswd is the basic password authenticator for nnrpd, suitable for
    being run from an auth stanza in readers.conf(5). See readers.conf(5)
    for more information on how to configure an nnrpd authenticator.

    ckpasswd accepts a username and password from nnrpd and tells nnrpd(8)
    whether that's the correct password for that username. By default, when
    given no arguments, it checks the password against the password field
    returned by getpwnam(3). Note that these days most systems no longer
    make real passwords available via getpwnam(3) (some still do if and only
    if the program calling getpwnam(3) is running as root).

    Note that ckpasswd expects all passwords to be stored encrypted by the
    system crypt(3) function and calls crypt(3) on the supplied password
    before comparing it to the expected password.

OPTIONS
    -d *database*
        Read passwords from a database (ndbm or dbm format depending on what
        your system has) rather than by using getpwnam(3). ckpasswd expects
        *database*.dir and *database*.pag to exist and to be a database
        keyed by username with the encrypted passwords as the values.

        While INN doesn't come with a program intended specifically to
        create such databases, on most systems it's fairly easy to write a
        Perl script to do so. Something like:

            #!/usr/bin/perl
            use NDBM_File;
            use Fcntl;
            tie (%db, 'NDBM_File', '/path/to/database', O_RDWR | O_CREAT, 0640)
                or die "Cannot open /path/to/database: $!\n";
            $| = 1;
            print "Username: ";
            my $user = <STDIN>;
            chomp $user;
            print "Password: ";
            my $passwd = <STDIN>;
            chomp $passwd;
            my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
            my $salt = join '', @alphabet[rand 64, rand 64];
            $db{$user} = crypt ($passwd, $salt);
            untie %db;

        Note that this will echo back the password when typed; there are
        obvious improvements that could be made to this, but it should be a
        reasonable start.

        This option will not be available on systems without dbm or ndbm
        libraries.

    -f *filename*
        Read passwords from the given file rather than using getpwnam(3).
        The file is expected to be formatted like a system password file, at
        leat vaguely. That means each line should look something like:

            username:pdIh9NCNslkq6

        (and each line may have an additional colon after the encrypted
        password and additional data; that data will be ignored by
        ckpasswd). INN does not come with a utility to create the encrypted
        passwords, but it's a quick job with Perl (see the example script
        under -d).

    -s  Check passwords against the result of getspnam(3) instead of
        getpwnam(3). This function, on those systems that supports it, reads
        from /etc/shadow or similar more restricted files. If you want to
        check passwords supplied to nnrpd(8) against system account
        passwords, you will probably have to use this option on most
        systems.

        Most systems require special privileges to call getspnam(3), so in
        order to use this option you may need to make ckpasswd setgid to
        some group (like group "shadow") or even setuid root. ckpasswd has
        not been specifically audited for such uses! It is, however, a very
        small program that you should be able to check by hand for security.

        This configuration is not recommended if it can be avoided, since
        the NNTP protocol has no way of protecting passwords from casual
        interception, and using system passwords to authenticate NNTP
        connections therefore opens you up to the risk of password sniffing.
        If you do use system passwords to authenticate connections, you
        should seriously consider only doing NNTP through ssh tunnels or
        over SSL.

EXAMPLES
    See readers.conf(5) for examples of nnrpd(8) authentication
    configuration that uses ckpasswd to check passwords.

HISTORY
    Written by Russ Allbery <rra at stanford.edu> for InterNetNews.

    $Id: ckpasswd.pod,v 1.1 2000/11/06 08:32:44 rra Exp $

SEE ALSO
    readers.conf(5), nnrpd(8)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the inn-workers mailing list