INN2 user authentication against system users
Russ Allbery
eagle at eyrie.org
Fri Feb 12 01:11:15 UTC 2021
Kevin Shell <kshell at gmx.com> writes:
> On Thu, Feb 11, 2021 at 09:49:19AM -0800, Russ Allbery wrote:
>> Just using ckpasswd without any other options will tell ckpasswd to
>> invoke PAM to verify the password. PAM will, in turn, check
>> authentication against the normal system authentication files (as
>> configured by your regular PAM configuration). It claims to be the
>> application "nnrpd".
>> You may need to install a (simple) PAM configuration as documented in
>> the ckpasswd man page, although I think most systems provide a sensible
>> default.
>> You probably want to go through PAM rather than using ckpasswd -s
>> because PAM will generally use a setgid helper program to allow it to
>> read /etc/shadow without you having to do special configuration.
> quote from man 8 ckpasswd
> Most systems require special privileges to call getspnam(3), so in
> order to use this option you may need to make ckpasswd setgid to
> some group (like group "shadow") or even setuid root. ckpasswd
> has not been specifically audited for such uses! It is, however,
> a very small program that you should be able to check by hand for
> security.
> I follow the man page and change the ckpasswd binary setgid to shadow
> it works, but man pages don't encourage the usage "ckpasswd -s".
Correct. I would encourage you to instead just use "ckpasswd" and drop
the -s flag and the setgid bit. It will probably just work.
> Is it safe to use?
> Maybe I have to fallback to
> just the original usage "ckpasswd -f /etc/news/newsusers"
You should try calling it without any arguments first. :)
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers
mailing list