ckpasswd man page on CentOS

Man page or keyword search:  
man Server   8420 pages
apropos Keyword Search (all sections)
Output format
CentOS logo
[printable version]

CKPASSWD(8)		  InterNetNews Documentation		   CKPASSWD(8)

NAME
       ckpasswd - nnrpd password authenticator

SYNOPSIS
       ckpasswd [-gs] [-d database] [-f filename] [-u username -p password]

DESCRIPTION
       ckpasswd is the basic password authenticator for nnrpd, suitable for
       being run from an auth stanza in readers.conf.  See readers.conf(5) for
       more information on how to configure an nnrpd authenticator.

       ckpasswd accepts a username and password from nnrpd and tells nnrpd(8)
       whether that's the correct password for that username.  By default,
       when given no arguments, it tries to check the password using PAM if
       support for PAM was found when INN was built.  Failing that, it tries
       to check the password against the password field returned by getpw‐
       nam(3).	Note that these days most systems no longer make real pass‐
       words available via getpwnam(3) (some still do if and only if the pro‐
       gram calling getpwnam(3) is running as root).

       When using PAM, ckpasswd identifies itself as "nnrpd", not as
       "ckpasswd", and the PAM configuration must be set up accordingly.  The
       details of PAM configuration are different on different operating sys‐
       tems (and even different Linux distributions); see EXAMPLES below for
       help getting started, and look for a pam(7) or pam.conf(4) manual page
       on your system.

       When using any method other than PAM, ckpasswd expects all passwords to
       be stored encrypted by the system crypt(3) function and calls crypt(3)
       on the supplied password before comparing it to the expected password.
       IF you're using a different password hash scheme (like MD5), you must
       use PAM.

OPTIONS
       -d database
	   Read passwords from a database (ndbm or dbm format depending on
	   what your system has) rather than by using getpwnam(3).  ckpasswd
	   expects database.dir and database.pag to exist and to be a database
	   keyed by username with the encrypted passwords as the values.

	   While INN doesn't come with a program intended specifically to cre‐
	   ate such databases, on most systems it's fairly easy to write a
	   Perl script to do so.  Something like:

	       #!/usr/bin/perl
	       use NDBM_File;
	       use Fcntl;
	       tie (%db, 'NDBM_File', '/path/to/database', O_RDWR⎪O_CREAT, 0640)
		   or die "Cannot open /path/to/database: $!\n";
	       $⎪ = 1;
	       print "Username: ";
	       my $user = <STDIN>;
	       chomp $user;
	       print "Password: ";
	       my $passwd = <STDIN>;
	       chomp $passwd;
	       my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
	       my $salt = join '', @alphabet[rand 64, rand 64];
	       $db{$user} = crypt ($passwd, $salt);
	       untie %db;

	   Note that this will echo back the password when typed; there are
	   obvious improvements that could be made to this, but it should be a
	   reasonable start.  Sometimes a program like this will be available
	   with the name dbmpasswd.

	   This option will not be available on systems without dbm or ndbm
	   libraries.

       -f filename
	   Read passwords from the given file rather than using getpwnam(3).
	   The file is expected to be formatted like a system password file,
	   at least vaguely.  That means each line should look something like:

	       username:pdIh9NCNslkq6

	   (and each line may have an additional colon after the encrypted
	   password and additional data; that data will be ignored by
	   ckpasswd).  Lines starting with a number sign (`#') are ignored.
	   INN does not come with a utility to create the encrypted passwords,
	   but htpasswd (which comes with Apache) can do so and it's a quick
	   job with Perl (see the example script under -d).  If using Apache's
	   htpasswd program, be sure to give it the -d option so that it will
	   use crypt(3).

       -g  Attempt to look up system group corresponding to username and
	   return a string like "user@group" to be matched against in read‐
	   ers.conf.  This option is incompatible with the -d and -f options.

       -p password
	   Use password as the password for authentication rather than reading
	   a password using the nnrpd authenticator protocol.  This option is
	   useful only for testing your authentication system (particularly
	   since it involves putting a password on the command line), and does
	   not work when ckpasswd is run by nnrpd.  If this option is given,
	   -u must also be given.

       -s  Check passwords against the result of getspnam(3) instead of getpw‐
	   nam(3).  This function, on those systems that supports it, reads
	   from /etc/shadow or similar more restricted files.  If you want to
	   check passwords supplied to nnrpd(8) against system account pass‐
	   words, you will probably have to use this option on most systems.

	   Most systems require special privileges to call getspnam(3), so in
	   order to use this option you may need to make ckpasswd setgid to
	   some group (like group "shadow") or even setuid root.  ckpasswd has
	   not been specifically audited for such uses!	 It is, however, a
	   very small program that you should be able to check by hand for
	   security.

	   This configuration is not recommended if it can be avoided, for
	   serious security reasons.  See "SECURITY CONSIDERATIONS" in read‐
	   ers.conf(5) for discussion.

       -u username
	   Authenticate as username.  This option is useful only for testing
	   (so that you can test your authentication system easily) and does
	   not work when ckpasswd is run by nnrpd.  If this option is given,
	   -p must also be given.

EXAMPLES
       See readers.conf(5) for examples of nnrpd(8) authentication configura‐
       tion that uses ckpasswd to check passwords.

       An example PAM configuration for /etc/pam.conf that tells ckpasswd to
       check usernames and passwords against system accounts is:

	   nnrpd auth	 required pam_unix.so
	   nnrpd account required pam_unix.so

       Your system may want you to instead create a file named nnrpd in
       /etc/pam.d with lines like:

	   auth	   required pam_unix.so
	   account required pam_unix.so

       This is only the simplest configuration.	 You may be able to include
       common shared files, and you may want to stack other modules, either to
       allow different authentication methods or to apply restrictions like
       lists of users who can't authenticate using ckpasswd.  The best guide
       is the documentation for your system and the other PAM configurations
       you're already using.

       To test to make sure that ckpasswd is working correctly, you can run it
       manually and then give it the username (prefixed with "ClientAuth‐
       name:") and password (prefixed with "ClientPassword:") on standard
       input.  For example:

	   (echo 'ClientAuthname: test' ; echo 'ClientPassword: testing') \
	       ⎪ ckpasswd -f /path/to/passwd/file

       will check a username of "test" and a password of "testing" against the
       username and passwords stored in /path/to/passwd/file.  On success,
       ckpasswd will print "User:test" and exit with status 0.	On failure, it
       will print some sort of error message and exit a non-zero status.

HISTORY
       Written by Russ Allbery <rra@stanford.edu> for InterNetNews.

       $Id: ckpasswd.8 7215 2005-04-11 20:43:21Z rra $

SEE ALSO
       readers.conf(5), nnrpd(8)

       Linux users who want to use PAM should read the Linux-PAM System Admin‐
       istrator's Guide at <http://www.ker‐
       nel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html>.

INN 2.4.3			  2005-04-11			   CKPASSWD(8)
[top]

List of man pages available for CentOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net