INN2 user authentication against system users

[Russ Allbery]

Kevin Shell <kshell at gmx.com> writes:
> On Thu, Feb 11, 2021 at 09:49:19AM -0800, Russ Allbery wrote:

>> Just using ckpasswd without any other options will tell ckpasswd to
>> invoke PAM to verify the password.  PAM will, in turn, check
>> authentication against the normal system authentication files (as
>> configured by your regular PAM configuration).  It claims to be the
>> application "nnrpd".

>> You may need to install a (simple) PAM configuration as documented in
>> the ckpasswd man page, although I think most systems provide a sensible
>> default.

>> You probably want to go through PAM rather than using ckpasswd -s
>> because PAM will generally use a setgid helper program to allow it to
>> read /etc/shadow without you having to do special configuration.

> quote from man 8 ckpasswd

>       Most systems require special privileges to call getspnam(3), so in
>       order to use this option you may need to make ckpasswd setgid to
>       some group (like group "shadow") or even setuid root.  ckpasswd
>       has not been specifically audited for such uses!  It is, however,
>       a very small program that you should be able to check by hand for
>       security.

> I follow the man page and change the ckpasswd binary setgid to shadow
> it works, but man pages don't encourage the usage "ckpasswd -s".

Correct.  I would encourage you to instead just use "ckpasswd" and drop
the -s flag and the setgid bit.  It will probably just work.

> Is it safe to use?
> Maybe I have to fallback to
> just the original usage "ckpasswd -f /etc/news/newsusers"

You should try calling it without any arguments first.  :)

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <https://www.eyrie.org/~eagle/faqs/questions.html> explains why.