INN2 user authentication against system users

Kevin Shell kshell at gmx.com
Sun Feb 14 12:42:51 UTC 2021


On Fri, Feb 12, 2021 at 07:50:47PM +0100, Julien ÉLIE wrote:
> Hi Kevin,
> > > Wouldn't "ckpasswd -s" be what you are looking for?
> > > 
> > I have to change ckpasswd to setgid shadow,
> > and i works on GNU/Linux, don't konow if it works for other OSes.
        it :-)
> 
> Did you try Russ' suggestion of '"ckpasswd" without the "-s" option?
> It would permit to remove the setgid bit you set.
> 
Yes.
I follow Russ' suggestion and the ckpasswd man page to
add nnrpd PAM entry for ckpasswd, just plain ckpasswd command
without arguments and without setgid shadow not work on Debian Linux.

> See the EXAMPLES section in
> https://www.eyrie.org/~eagle/software/inn/docs/ckpasswd.html to see how PAM
> can be configured.
> 
> 
> > > Which part of the EXAMPLES section at the end of the man page would you like to emphasize more?
> > >    https://www.eyrie.org/~eagle/software/inn/docs/readers.conf.html
> > 
> > I think just plain User/Password authentication over nntps should be easy. :-)
> 
> Oh, I also see that the readers.conf example file shipped with INN does not
> contain any example of ckpasswd use...
> 
> So, I suggest to:
> - improve the basic readers.conf example file to add an example of
> "ckpasswd" (PAM) and "ckpasswd -f" (file) uses;
> - change the examples in the readers.conf man page to use "ckpasswd" instead
> of "ckpasswd -s" (and just say in a sentence the difference);
> - change the examples in the readers.conf man page to use "ckpasswd -f"
> instead of "ckpasswd -d" (using a plain file is far more easier);

I use "doveadm pw" to create the strong password hash,
I think "ckpasswd -f" is fast and safe.
besides, the "-d" option doesn't mention
how to create the key/value password databse,
and INN2 doesn't provide a tool to create such *dbm password database.

> - add a "QUICK START" section near the beginning of the readers.conf man
> page to just document these two most frequent uses.
> 
> Do you see any other way to improve that documentation?

I agree to add such section to readers.conf,
and in ckpasswd man page refers to it too.
> 

-- 
kevin




More information about the inn-workers mailing list