INN2 user authentication against system users

Kevin Shell kshell at
Fri Feb 12 01:07:34 UTC 2021

On Thu, Feb 11, 2021 at 09:49:19AM -0800, Russ Allbery wrote:
> Just using ckpasswd without any other options will tell ckpasswd to invoke
> PAM to verify the password.  PAM will, in turn, check authentication
> against the normal system authentication files (as configured by your
> regular PAM configuration).  It claims to be the application "nnrpd".
> You may need to install a (simple) PAM configuration as documented in the
> ckpasswd man page, although I think most systems provide a sensible
> default.
> You probably want to go through PAM rather than using ckpasswd -s because
> PAM will generally use a setgid helper program to allow it to read
> /etc/shadow without you having to do special configuration.

quote from man 8 ckpasswd

      Most systems require special privileges to call getspnam(3), so in order
      to use this option you may need to make ckpasswd setgid to some group
      (like group "shadow") or even setuid root.  ckpasswd has not been
      specifically audited for such uses!  It is, however, a very small
      program that you should be able to check by hand for security.

I follow the man page and change the ckpasswd binary setgid to shadow
it works, but man pages don't encourage the usage "ckpasswd -s".

Is it safe to use?
Maybe I have to fallback to
just the original usage "ckpasswd -f /etc/news/newsusers"


More information about the inn-workers mailing list