INN2 user authentication against system users
Kevin Shell
kshell at gmx.com
Fri Feb 12 01:07:34 UTC 2021
On Thu, Feb 11, 2021 at 09:49:19AM -0800, Russ Allbery wrote:
>
> Just using ckpasswd without any other options will tell ckpasswd to invoke
> PAM to verify the password. PAM will, in turn, check authentication
> against the normal system authentication files (as configured by your
> regular PAM configuration). It claims to be the application "nnrpd".
>
> You may need to install a (simple) PAM configuration as documented in the
> ckpasswd man page, although I think most systems provide a sensible
> default.
>
> You probably want to go through PAM rather than using ckpasswd -s because
> PAM will generally use a setgid helper program to allow it to read
> /etc/shadow without you having to do special configuration.
>
quote from man 8 ckpasswd
Most systems require special privileges to call getspnam(3), so in order
to use this option you may need to make ckpasswd setgid to some group
(like group "shadow") or even setuid root. ckpasswd has not been
specifically audited for such uses! It is, however, a very small
program that you should be able to check by hand for security.
I follow the man page and change the ckpasswd binary setgid to shadow
it works, but man pages don't encourage the usage "ckpasswd -s".
Is it safe to use?
Maybe I have to fallback to
just the original usage "ckpasswd -f /etc/news/newsusers"
--
kevin
More information about the inn-workers
mailing list