+++ /dev/null
-.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
-. ds C` ""
-. ds C' ""
-'br\}
-.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
-'br\}
-.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
-.\" entries marked with X<> in POD. Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.if \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
-..
-. nr % 0
-. rr F
-.\}
-.\"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.hy 0
-.if n .na
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "CKPASSWD 8"
-.TH CKPASSWD 8 "2008-04-06" "INN 2.4.5" "InterNetNews Documentation"
-.SH "NAME"
-ckpasswd \- nnrpd password authenticator
-.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-\&\fBckpasswd\fR [\fB\-gs\fR] [\fB\-d\fR \fIdatabase\fR] [\fB\-f\fR \fIfilename\fR]
-[\fB\-u\fR \fIusername\fR \fB\-p\fR \fIpassword\fR]
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-\&\fBckpasswd\fR is the basic password authenticator for nnrpd, suitable for
-being run from an auth stanza in \fIreaders.conf\fR. See \fIreaders.conf\fR\|(5) for
-more information on how to configure an nnrpd authenticator.
-.PP
-\&\fBckpasswd\fR accepts a username and password from nnrpd and tells \fInnrpd\fR\|(8)
-whether that's the correct password for that username. By default, when
-given no arguments, it tries to check the password using \s-1PAM\s0 if support
-for \s-1PAM\s0 was found when \s-1INN\s0 was built. Failing that, it tries to check the
-password against the password field returned by \fIgetpwnam\fR\|(3). Note that
-these days most systems no longer make real passwords available via
-\&\fIgetpwnam\fR\|(3) (some still do if and only if the program calling \fIgetpwnam\fR\|(3)
-is running as root).
-.PP
-When using \s-1PAM\s0, \fBckpasswd\fR identifies itself as \f(CW\*(C`nnrpd\*(C'\fR, not as
-\&\f(CW\*(C`ckpasswd\*(C'\fR, and the \s-1PAM\s0 configuration must be set up accordingly. The
-details of \s-1PAM\s0 configuration are different on different operating systems
-(and even different Linux distributions); see \s-1EXAMPLES\s0 below for help
-getting started, and look for a \fIpam\fR\|(7) or \fIpam.conf\fR\|(4) manual page on your
-system.
-.PP
-When using any method other than \s-1PAM\s0, \fBckpasswd\fR expects all passwords to
-be stored encrypted by the system \fIcrypt\fR\|(3) function and calls \fIcrypt\fR\|(3) on
-the supplied password before comparing it to the expected password. \s-1IF\s0
-you're using a different password hash scheme (like \s-1MD5\s0), you must use
-\&\s-1PAM\s0.
-.SH "OPTIONS"
-.IX Header "OPTIONS"
-.IP "\fB\-d\fR \fIdatabase\fR" 4
-.IX Item "-d database"
-Read passwords from a database (ndbm or dbm format depending on what your
-system has) rather than by using \fIgetpwnam\fR\|(3). \fBckpasswd\fR expects
-\&\fIdatabase\fR.dir and \fIdatabase\fR.pag to exist and to be a database keyed by
-username with the encrypted passwords as the values.
-.Sp
-While \s-1INN\s0 doesn't come with a program intended specifically to create such
-databases, on most systems it's fairly easy to write a Perl script to do
-so. Something like:
-.Sp
-.Vb 16
-\& #!/usr/bin/perl
-\& use NDBM_File;
-\& use Fcntl;
-\& tie (%db, 'NDBM_File', '/path/to/database', O_RDWR|O_CREAT, 0640)
-\& or die "Cannot open /path/to/database: $!\en";
-\& $| = 1;
-\& print "Username: ";
-\& my $user = <STDIN>;
-\& chomp $user;
-\& print "Password: ";
-\& my $passwd = <STDIN>;
-\& chomp $passwd;
-\& my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
-\& my $salt = join '', @alphabet[rand 64, rand 64];
-\& $db{$user} = crypt ($passwd, $salt);
-\& untie %db;
-.Ve
-.Sp
-Note that this will echo back the password when typed; there are obvious
-improvements that could be made to this, but it should be a reasonable
-start. Sometimes a program like this will be available with the name
-\&\fBdbmpasswd\fR.
-.Sp
-This option will not be available on systems without dbm or ndbm
-libraries.
-.IP "\fB\-f\fR \fIfilename\fR" 4
-.IX Item "-f filename"
-Read passwords from the given file rather than using \fIgetpwnam\fR\|(3). The
-file is expected to be formatted like a system password file, at least
-vaguely. That means each line should look something like:
-.Sp
-.Vb 1
-\& username:pdIh9NCNslkq6
-.Ve
-.Sp
-(and each line may have an additional colon after the encrypted password
-and additional data; that data will be ignored by \fBckpasswd\fR). Lines
-starting with a number sign (`#') are ignored. \s-1INN\s0 does not come with a
-utility to create the encrypted passwords, but \fBhtpasswd\fR (which comes
-with Apache) can do so and it's a quick job with Perl (see the example
-script under \fB\-d\fR). If using Apache's \fBhtpasswd\fR program, be sure to
-give it the \fB\-d\fR option so that it will use \fIcrypt\fR\|(3).
-.IP "\fB\-g\fR" 4
-.IX Item "-g"
-Attempt to look up system group corresponding to username and return a
-string like \*(L"user@group\*(R" to be matched against in \fIreaders.conf\fR. This
-option is incompatible with the \fB\-d\fR and \fB\-f\fR options.
-.IP "\fB\-p\fR \fIpassword\fR" 4
-.IX Item "-p password"
-Use \fIpassword\fR as the password for authentication rather than reading a
-password using the nnrpd authenticator protocol. This option is useful
-only for testing your authentication system (particularly since it
-involves putting a password on the command line), and does not work when
-\&\fBckpasswd\fR is run by \fBnnrpd\fR. If this option is given, \fB\-u\fR must also
-be given.
-.IP "\fB\-s\fR" 4
-.IX Item "-s"
-Check passwords against the result of \fIgetspnam\fR\|(3) instead of \fIgetpwnam\fR\|(3).
-This function, on those systems that supports it, reads from /etc/shadow
-or similar more restricted files. If you want to check passwords supplied
-to \fInnrpd\fR\|(8) against system account passwords, you will probably have to
-use this option on most systems.
-.Sp
-Most systems require special privileges to call \fIgetspnam\fR\|(3), so in order
-to use this option you may need to make \fBckpasswd\fR setgid to some group
-(like group \*(L"shadow\*(R") or even setuid root. \fBckpasswd\fR has not been
-specifically audited for such uses! It is, however, a very small program
-that you should be able to check by hand for security.
-.Sp
-This configuration is not recommended if it can be avoided, for serious
-security reasons. See \*(L"\s-1SECURITY\s0 \s-1CONSIDERATIONS\s0\*(R" in readers.conf\&(5) for
-discussion.
-.IP "\fB\-u\fR \fIusername\fR" 4
-.IX Item "-u username"
-Authenticate as \fIusername\fR. This option is useful only for testing (so
-that you can test your authentication system easily) and does not work
-when \fBckpasswd\fR is run by \fBnnrpd\fR. If this option is given, \fB\-p\fR must
-also be given.
-.SH "EXAMPLES"
-.IX Header "EXAMPLES"
-See \fIreaders.conf\fR\|(5) for examples of \fInnrpd\fR\|(8) authentication configuration
-that uses \fBckpasswd\fR to check passwords.
-.PP
-An example \s-1PAM\s0 configuration for \fI/etc/pam.conf\fR that tells \fBckpasswd\fR
-to check usernames and passwords against system accounts is:
-.PP
-.Vb 2
-\& nnrpd auth required pam_unix.so
-\& nnrpd account required pam_unix.so
-.Ve
-.PP
-Your system may want you to instead create a file named \fInnrpd\fR in
-\&\fI/etc/pam.d\fR with lines like:
-.PP
-.Vb 2
-\& auth required pam_unix.so
-\& account required pam_unix.so
-.Ve
-.PP
-This is only the simplest configuration. You may be able to include
-common shared files, and you may want to stack other modules, either to
-allow different authentication methods or to apply restrictions like lists
-of users who can't authenticate using \fBckpasswd\fR. The best guide is the
-documentation for your system and the other \s-1PAM\s0 configurations you're
-already using.
-.PP
-To test to make sure that \fBckpasswd\fR is working correctly, you can run it
-manually and then give it the username (prefixed with \f(CW\*(C`ClientAuthname:\*(C'\fR)
-and password (prefixed with \f(CW\*(C`ClientPassword:\*(C'\fR) on standard input. For
-example:
-.PP
-.Vb 2
-\& (echo 'ClientAuthname: test' ; echo 'ClientPassword: testing') \e
-\& | ckpasswd \-f /path/to/passwd/file
-.Ve
-.PP
-will check a username of \f(CW\*(C`test\*(C'\fR and a password of \f(CW\*(C`testing\*(C'\fR against the
-username and passwords stored in \fI/path/to/passwd/file\fR. On success,
-\&\fBckpasswd\fR will print \f(CW\*(C`User:test\*(C'\fR and exit with status 0. On failure,
-it will print some sort of error message and exit a non-zero status.
-.SH "HISTORY"
-.IX Header "HISTORY"
-Written by Russ Allbery <rra@stanford.edu> for InterNetNews.
-.PP
-$Id: ckpasswd.8 7880 2008-06-16 20:37:13Z iulius $
-.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIreaders.conf\fR\|(5), \fInnrpd\fR\|(8)
-.PP
-Linux users who want to use \s-1PAM\s0 should read the Linux-PAM System
-Administrator's Guide at
-<http://www.kernel.org/pub/linux/libs/pam/Linux\-PAM\-html/Linux\-PAM_SAG.html>.
~ian / innduct.git / blobdiff