X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=innduct.git;a=blobdiff_plain;f=doc%2Fman%2Fckpasswd.8;fp=doc%2Fman%2Fckpasswd.8;h=0000000000000000000000000000000000000000;hp=414421191a7cba325cb25d16a0ccb8fc610d25ad;hb=b7a32e2d73e3ab1add8208d3e157f7269a31ef4d;hpb=ac902a8299ff4469b356836f431ead31c3377377 diff --git a/doc/man/ckpasswd.8 b/doc/man/ckpasswd.8 deleted file mode 100644 index 4144211..0000000 --- a/doc/man/ckpasswd.8 +++ /dev/null @@ -1,311 +0,0 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "CKPASSWD 8" -.TH CKPASSWD 8 "2008-04-06" "INN 2.4.5" "InterNetNews Documentation" -.SH "NAME" -ckpasswd \- nnrpd password authenticator -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBckpasswd\fR [\fB\-gs\fR] [\fB\-d\fR \fIdatabase\fR] [\fB\-f\fR \fIfilename\fR] -[\fB\-u\fR \fIusername\fR \fB\-p\fR \fIpassword\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fBckpasswd\fR is the basic password authenticator for nnrpd, suitable for -being run from an auth stanza in \fIreaders.conf\fR. See \fIreaders.conf\fR\|(5) for -more information on how to configure an nnrpd authenticator. -.PP -\&\fBckpasswd\fR accepts a username and password from nnrpd and tells \fInnrpd\fR\|(8) -whether that's the correct password for that username. By default, when -given no arguments, it tries to check the password using \s-1PAM\s0 if support -for \s-1PAM\s0 was found when \s-1INN\s0 was built. Failing that, it tries to check the -password against the password field returned by \fIgetpwnam\fR\|(3). Note that -these days most systems no longer make real passwords available via -\&\fIgetpwnam\fR\|(3) (some still do if and only if the program calling \fIgetpwnam\fR\|(3) -is running as root). -.PP -When using \s-1PAM\s0, \fBckpasswd\fR identifies itself as \f(CW\*(C`nnrpd\*(C'\fR, not as -\&\f(CW\*(C`ckpasswd\*(C'\fR, and the \s-1PAM\s0 configuration must be set up accordingly. The -details of \s-1PAM\s0 configuration are different on different operating systems -(and even different Linux distributions); see \s-1EXAMPLES\s0 below for help -getting started, and look for a \fIpam\fR\|(7) or \fIpam.conf\fR\|(4) manual page on your -system. -.PP -When using any method other than \s-1PAM\s0, \fBckpasswd\fR expects all passwords to -be stored encrypted by the system \fIcrypt\fR\|(3) function and calls \fIcrypt\fR\|(3) on -the supplied password before comparing it to the expected password. \s-1IF\s0 -you're using a different password hash scheme (like \s-1MD5\s0), you must use -\&\s-1PAM\s0. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-d\fR \fIdatabase\fR" 4 -.IX Item "-d database" -Read passwords from a database (ndbm or dbm format depending on what your -system has) rather than by using \fIgetpwnam\fR\|(3). \fBckpasswd\fR expects -\&\fIdatabase\fR.dir and \fIdatabase\fR.pag to exist and to be a database keyed by -username with the encrypted passwords as the values. -.Sp -While \s-1INN\s0 doesn't come with a program intended specifically to create such -databases, on most systems it's fairly easy to write a Perl script to do -so. Something like: -.Sp -.Vb 16 -\& #!/usr/bin/perl -\& use NDBM_File; -\& use Fcntl; -\& tie (%db, 'NDBM_File', '/path/to/database', O_RDWR|O_CREAT, 0640) -\& or die "Cannot open /path/to/database: $!\en"; -\& $| = 1; -\& print "Username: "; -\& my $user = ; -\& chomp $user; -\& print "Password: "; -\& my $passwd = ; -\& chomp $passwd; -\& my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z'); -\& my $salt = join '', @alphabet[rand 64, rand 64]; -\& $db{$user} = crypt ($passwd, $salt); -\& untie %db; -.Ve -.Sp -Note that this will echo back the password when typed; there are obvious -improvements that could be made to this, but it should be a reasonable -start. Sometimes a program like this will be available with the name -\&\fBdbmpasswd\fR. -.Sp -This option will not be available on systems without dbm or ndbm -libraries. -.IP "\fB\-f\fR \fIfilename\fR" 4 -.IX Item "-f filename" -Read passwords from the given file rather than using \fIgetpwnam\fR\|(3). The -file is expected to be formatted like a system password file, at least -vaguely. That means each line should look something like: -.Sp -.Vb 1 -\& username:pdIh9NCNslkq6 -.Ve -.Sp -(and each line may have an additional colon after the encrypted password -and additional data; that data will be ignored by \fBckpasswd\fR). Lines -starting with a number sign (`#') are ignored. \s-1INN\s0 does not come with a -utility to create the encrypted passwords, but \fBhtpasswd\fR (which comes -with Apache) can do so and it's a quick job with Perl (see the example -script under \fB\-d\fR). If using Apache's \fBhtpasswd\fR program, be sure to -give it the \fB\-d\fR option so that it will use \fIcrypt\fR\|(3). -.IP "\fB\-g\fR" 4 -.IX Item "-g" -Attempt to look up system group corresponding to username and return a -string like \*(L"user@group\*(R" to be matched against in \fIreaders.conf\fR. This -option is incompatible with the \fB\-d\fR and \fB\-f\fR options. -.IP "\fB\-p\fR \fIpassword\fR" 4 -.IX Item "-p password" -Use \fIpassword\fR as the password for authentication rather than reading a -password using the nnrpd authenticator protocol. This option is useful -only for testing your authentication system (particularly since it -involves putting a password on the command line), and does not work when -\&\fBckpasswd\fR is run by \fBnnrpd\fR. If this option is given, \fB\-u\fR must also -be given. -.IP "\fB\-s\fR" 4 -.IX Item "-s" -Check passwords against the result of \fIgetspnam\fR\|(3) instead of \fIgetpwnam\fR\|(3). -This function, on those systems that supports it, reads from /etc/shadow -or similar more restricted files. If you want to check passwords supplied -to \fInnrpd\fR\|(8) against system account passwords, you will probably have to -use this option on most systems. -.Sp -Most systems require special privileges to call \fIgetspnam\fR\|(3), so in order -to use this option you may need to make \fBckpasswd\fR setgid to some group -(like group \*(L"shadow\*(R") or even setuid root. \fBckpasswd\fR has not been -specifically audited for such uses! It is, however, a very small program -that you should be able to check by hand for security. -.Sp -This configuration is not recommended if it can be avoided, for serious -security reasons. See \*(L"\s-1SECURITY\s0 \s-1CONSIDERATIONS\s0\*(R" in readers.conf\&(5) for -discussion. -.IP "\fB\-u\fR \fIusername\fR" 4 -.IX Item "-u username" -Authenticate as \fIusername\fR. This option is useful only for testing (so -that you can test your authentication system easily) and does not work -when \fBckpasswd\fR is run by \fBnnrpd\fR. If this option is given, \fB\-p\fR must -also be given. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -See \fIreaders.conf\fR\|(5) for examples of \fInnrpd\fR\|(8) authentication configuration -that uses \fBckpasswd\fR to check passwords. -.PP -An example \s-1PAM\s0 configuration for \fI/etc/pam.conf\fR that tells \fBckpasswd\fR -to check usernames and passwords against system accounts is: -.PP -.Vb 2 -\& nnrpd auth required pam_unix.so -\& nnrpd account required pam_unix.so -.Ve -.PP -Your system may want you to instead create a file named \fInnrpd\fR in -\&\fI/etc/pam.d\fR with lines like: -.PP -.Vb 2 -\& auth required pam_unix.so -\& account required pam_unix.so -.Ve -.PP -This is only the simplest configuration. You may be able to include -common shared files, and you may want to stack other modules, either to -allow different authentication methods or to apply restrictions like lists -of users who can't authenticate using \fBckpasswd\fR. The best guide is the -documentation for your system and the other \s-1PAM\s0 configurations you're -already using. -.PP -To test to make sure that \fBckpasswd\fR is working correctly, you can run it -manually and then give it the username (prefixed with \f(CW\*(C`ClientAuthname:\*(C'\fR) -and password (prefixed with \f(CW\*(C`ClientPassword:\*(C'\fR) on standard input. For -example: -.PP -.Vb 2 -\& (echo 'ClientAuthname: test' ; echo 'ClientPassword: testing') \e -\& | ckpasswd \-f /path/to/passwd/file -.Ve -.PP -will check a username of \f(CW\*(C`test\*(C'\fR and a password of \f(CW\*(C`testing\*(C'\fR against the -username and passwords stored in \fI/path/to/passwd/file\fR. On success, -\&\fBckpasswd\fR will print \f(CW\*(C`User:test\*(C'\fR and exit with status 0. On failure, -it will print some sort of error message and exit a non-zero status. -.SH "HISTORY" -.IX Header "HISTORY" -Written by Russ Allbery for InterNetNews. -.PP -$Id: ckpasswd.8 7880 2008-06-16 20:37:13Z iulius $ -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIreaders.conf\fR\|(5), \fInnrpd\fR\|(8) -.PP -Linux users who want to use \s-1PAM\s0 should read the Linux-PAM System -Administrator's Guide at -.