some fixes; debug for missing

[inn-innduct.git] / doc / man / ckpasswd.8

.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
'br\}
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.if \nF \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    nr % 0
.    rr F
.\}
.\"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.hy 0
.if n .na
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CKPASSWD 8"
.TH CKPASSWD 8 "2008-04-06" "INN 2.4.5" "InterNetNews Documentation"
.SH "NAME"
ckpasswd \- nnrpd password authenticator
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBckpasswd\fR [\fB\-gs\fR] [\fB\-d\fR \fIdatabase\fR] [\fB\-f\fR \fIfilename\fR]
[\fB\-u\fR \fIusername\fR \fB\-p\fR \fIpassword\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBckpasswd\fR is the basic password authenticator for nnrpd, suitable for
being run from an auth stanza in \fIreaders.conf\fR.  See \fIreaders.conf\fR\|(5) for
more information on how to configure an nnrpd authenticator.
.PP
\&\fBckpasswd\fR accepts a username and password from nnrpd and tells \fInnrpd\fR\|(8)
whether that's the correct password for that username.  By default, when
given no arguments, it tries to check the password using \s-1PAM\s0 if support
for \s-1PAM\s0 was found when \s-1INN\s0 was built.  Failing that, it tries to check the
password against the password field returned by \fIgetpwnam\fR\|(3).  Note that
these days most systems no longer make real passwords available via
\&\fIgetpwnam\fR\|(3) (some still do if and only if the program calling \fIgetpwnam\fR\|(3)
is running as root).
.PP
When using \s-1PAM\s0, \fBckpasswd\fR identifies itself as \f(CW\*(C`nnrpd\*(C'\fR, not as
\&\f(CW\*(C`ckpasswd\*(C'\fR, and the \s-1PAM\s0 configuration must be set up accordingly.  The
details of \s-1PAM\s0 configuration are different on different operating systems
(and even different Linux distributions); see \s-1EXAMPLES\s0 below for help
getting started, and look for a \fIpam\fR\|(7) or \fIpam.conf\fR\|(4) manual page on your
system.
.PP
When using any method other than \s-1PAM\s0, \fBckpasswd\fR expects all passwords to
be stored encrypted by the system \fIcrypt\fR\|(3) function and calls \fIcrypt\fR\|(3) on
the supplied password before comparing it to the expected password.  \s-1IF\s0
you're using a different password hash scheme (like \s-1MD5\s0), you must use
\&\s-1PAM\s0.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-d\fR \fIdatabase\fR" 4
.IX Item "-d database"
Read passwords from a database (ndbm or dbm format depending on what your
system has) rather than by using \fIgetpwnam\fR\|(3).  \fBckpasswd\fR expects
\&\fIdatabase\fR.dir and \fIdatabase\fR.pag to exist and to be a database keyed by
username with the encrypted passwords as the values.
.Sp
While \s-1INN\s0 doesn't come with a program intended specifically to create such
databases, on most systems it's fairly easy to write a Perl script to do
so.  Something like:
.Sp
.Vb 16
\&    #!/usr/bin/perl
\&    use NDBM_File;
\&    use Fcntl;
\&    tie (%db, 'NDBM_File', '/path/to/database', O_RDWR|O_CREAT, 0640)
\&        or die "Cannot open /path/to/database: $!\en";
\&    $| = 1;
\&    print "Username: ";
\&    my $user = <STDIN>;
\&    chomp $user;
\&    print "Password: ";
\&    my $passwd = <STDIN>;
\&    chomp $passwd;
\&    my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
\&    my $salt = join '', @alphabet[rand 64, rand 64];
\&    $db{$user} = crypt ($passwd, $salt);
\&    untie %db;
.Ve
.Sp
Note that this will echo back the password when typed; there are obvious
improvements that could be made to this, but it should be a reasonable
start.  Sometimes a program like this will be available with the name
\&\fBdbmpasswd\fR.
.Sp
This option will not be available on systems without dbm or ndbm
libraries.
.IP "\fB\-f\fR \fIfilename\fR" 4
.IX Item "-f filename"
Read passwords from the given file rather than using \fIgetpwnam\fR\|(3).  The
file is expected to be formatted like a system password file, at least
vaguely.  That means each line should look something like:
.Sp
.Vb 1
\&    username:pdIh9NCNslkq6
.Ve
.Sp
(and each line may have an additional colon after the encrypted password
and additional data; that data will be ignored by \fBckpasswd\fR).  Lines
starting with a number sign (`#') are ignored.  \s-1INN\s0 does not come with a
utility to create the encrypted passwords, but \fBhtpasswd\fR (which comes
with Apache) can do so and it's a quick job with Perl (see the example
script under \fB\-d\fR).  If using Apache's \fBhtpasswd\fR program, be sure to
give it the \fB\-d\fR option so that it will use \fIcrypt\fR\|(3).
.IP "\fB\-g\fR" 4
.IX Item "-g"
Attempt to look up system group corresponding to username and return a
string like \*(L"user@group\*(R" to be matched against in \fIreaders.conf\fR.  This
option is incompatible with the \fB\-d\fR and \fB\-f\fR options.
.IP "\fB\-p\fR \fIpassword\fR" 4
.IX Item "-p password"
Use \fIpassword\fR as the password for authentication rather than reading a
password using the nnrpd authenticator protocol.  This option is useful
only for testing your authentication system (particularly since it
involves putting a password on the command line), and does not work when
\&\fBckpasswd\fR is run by \fBnnrpd\fR.  If this option is given, \fB\-u\fR must also
be given.
.IP "\fB\-s\fR" 4
.IX Item "-s"
Check passwords against the result of \fIgetspnam\fR\|(3) instead of \fIgetpwnam\fR\|(3).
This function, on those systems that supports it, reads from /etc/shadow
or similar more restricted files.  If you want to check passwords supplied
to \fInnrpd\fR\|(8) against system account passwords, you will probably have to
use this option on most systems.
.Sp
Most systems require special privileges to call \fIgetspnam\fR\|(3), so in order
to use this option you may need to make \fBckpasswd\fR setgid to some group
(like group \*(L"shadow\*(R") or even setuid root.  \fBckpasswd\fR has not been
specifically audited for such uses!  It is, however, a very small program
that you should be able to check by hand for security.
.Sp
This configuration is not recommended if it can be avoided, for serious
security reasons.  See \*(L"\s-1SECURITY\s0 \s-1CONSIDERATIONS\s0\*(R" in readers.conf\&(5) for
discussion.
.IP "\fB\-u\fR \fIusername\fR" 4
.IX Item "-u username"
Authenticate as \fIusername\fR.  This option is useful only for testing (so
that you can test your authentication system easily) and does not work
when \fBckpasswd\fR is run by \fBnnrpd\fR.  If this option is given, \fB\-p\fR must
also be given.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
See \fIreaders.conf\fR\|(5) for examples of \fInnrpd\fR\|(8) authentication configuration
that uses \fBckpasswd\fR to check passwords.
.PP
An example \s-1PAM\s0 configuration for \fI/etc/pam.conf\fR that tells \fBckpasswd\fR
to check usernames and passwords against system accounts is:
.PP
.Vb 2
\&    nnrpd auth    required pam_unix.so
\&    nnrpd account required pam_unix.so
.Ve
.PP
Your system may want you to instead create a file named \fInnrpd\fR in
\&\fI/etc/pam.d\fR with lines like:
.PP
.Vb 2
\&    auth    required pam_unix.so
\&    account required pam_unix.so
.Ve
.PP
This is only the simplest configuration.  You may be able to include
common shared files, and you may want to stack other modules, either to
allow different authentication methods or to apply restrictions like lists
of users who can't authenticate using \fBckpasswd\fR.  The best guide is the
documentation for your system and the other \s-1PAM\s0 configurations you're
already using.
.PP
To test to make sure that \fBckpasswd\fR is working correctly, you can run it
manually and then give it the username (prefixed with \f(CW\*(C`ClientAuthname:\*(C'\fR)
and password (prefixed with \f(CW\*(C`ClientPassword:\*(C'\fR) on standard input.  For
example:
.PP
.Vb 2
\&    (echo 'ClientAuthname: test' ; echo 'ClientPassword: testing') \e
\&        | ckpasswd \-f /path/to/passwd/file
.Ve
.PP
will check a username of \f(CW\*(C`test\*(C'\fR and a password of \f(CW\*(C`testing\*(C'\fR against the
username and passwords stored in \fI/path/to/passwd/file\fR.  On success,
\&\fBckpasswd\fR will print \f(CW\*(C`User:test\*(C'\fR and exit with status 0.  On failure,
it will print some sort of error message and exit a non-zero status.
.SH "HISTORY"
.IX Header "HISTORY"
Written by Russ Allbery <rra@stanford.edu> for InterNetNews.
.PP
$Id: ckpasswd.8 7880 2008-06-16 20:37:13Z iulius $
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIreaders.conf\fR\|(5), \fInnrpd\fR\|(8)
.PP
Linux users who want to use \s-1PAM\s0 should read the Linux-PAM System
Administrator's Guide at
<http://www.kernel.org/pub/linux/libs/pam/Linux\-PAM\-html/Linux\-PAM_SAG.html>.