ckpasswd - nnrpd password authenticator


   ckpasswd [-gs] [-d database] [-f filename] [-u username -p password]


   ckpasswd is the basic password authenticator for nnrpd, suitable for
   being run from an auth stanza in readers.conf.  See readers.conf(5) for
   more information on how to configure an nnrpd authenticator.

   ckpasswd accepts a username and password from nnrpd and tells nnrpd(8)
   whether that's the correct password for that username.  By default,
   when given no arguments, it tries to check the password using PAM if
   support for PAM was found when INN was built.  Failing that, it tries
   to check the password against the password field returned by
   getpwnam(3).  Note that these days most systems no longer make real
   passwords available via getpwnam(3) (some still do if and only if the
   program calling getpwnam(3) is running as root).

   When using PAM, ckpasswd identifies itself as "nnrpd", not as
   "ckpasswd", and the PAM configuration must be set up accordingly.  The
   details of PAM configuration are different on different operating
   systems (and even different Linux distributions); see EXAMPLES below
   for help getting started, and look for a pam(7) or pam.conf(4) manual
   page on your system.

   When using any method other than PAM, ckpasswd expects all passwords to
   be stored encrypted by the system crypt(3) function and calls crypt(3)
   on the supplied password before comparing it to the expected password.
   If you're using a different password hash scheme (like MD5), you must
   use PAM.


   -d database
       Read passwords from a database (ndbm, gdbm or dbm format depending
       on what your system has) rather than by using getpwnam(3).
       ckpasswd expects database.dir and database.pag to exist and to be a
       database keyed by username with the encrypted passwords as the

       While INN doesn't come with a program intended specifically to
       create such databases, on most systems it's fairly easy to write a
       Perl script to do so.  Something like:

           use NDBM_File;
           use Fcntl;
           tie (%db, 'NDBM_File', '/path/to/database', O_RDWR|O_CREAT, 0640)
               or die "Cannot open /path/to/database: $!\n";
           $| = 1;
           print "Username: ";
           my $user = <STDIN>;
           chomp $user;
           print "Password: ";
           my $passwd = <STDIN>;
           chomp $passwd;
           my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
           my $salt = join '', @alphabet[rand 64, rand 64];
           $db{$user} = crypt ($passwd, $salt);
           untie %db;

       Note that this will echo back the password when typed; there are
       obvious improvements that could be made to this, but it should be a
       reasonable start.  Sometimes a program like this will be available
       with the name dbmpasswd.

       This option will not be available on systems without ndbm, gdbm or
       dbm libraries.

   -f filename
       Read passwords from the given file rather than using getpwnam(3).
       The file is expected to be formatted like a system password file,
       at least vaguely.  That means each line should look something like:


       (and each line may have an additional colon after the encrypted
       password and additional data; that data will be ignored by
       ckpasswd).  Lines starting with a number sign ("#") are ignored.
       INN does not come with a utility to create the encrypted passwords,
       but htpasswd (which comes with Apache) can do so and it's a quick
       job with Perl (see the example script under -d, or also below).  If
       using Apache's htpasswd program, be sure to give it the -d option
       so that it will use crypt(3).

       A line in filename for the user "user" with the password "pass"
       would be "user:LIfOpbjNaEQYE" as obtained by the following command:

           % htpasswd -nbd user pass

       In case htpasswd is not installed or if you do not want to depend
       on it, another command involving Perl does a similar job:

           % perl -e 'print "user:".crypt("pass", "LI")."\n";'

   -g  Attempt to look up system group corresponding to username and
       return a string like "user@group" to be matched against in
       readers.conf.  This option is incompatible with the -d and -f

   -p password
       Use password as the password for authentication rather than reading
       a password using the nnrpd authenticator protocol.  This option is
       useful only for testing your authentication system (particularly
       since it involves putting a password on the command line), and does
       not work when ckpasswd is run by nnrpd.  If this option is given,
       -u must also be given.

   -s  Check passwords against the result of getspnam(3) instead of
       getpwnam(3).  This function, on those systems that supports it,
       reads from /etc/shadow or similar more restricted files.  If you
       want to check passwords supplied to nnrpd(8) against system account
       passwords, you will probably have to use this option on most

       Most systems require special privileges to call getspnam(3), so in
       order to use this option you may need to make ckpasswd setgid to
       some group (like group "shadow") or even setuid root.  ckpasswd has
       not been specifically audited for such uses!  It is, however, a
       very small program that you should be able to check by hand for

       This configuration is not recommended if it can be avoided, for
       serious security reasons.  See "SECURITY CONSIDERATIONS" in
       readers.conf(5) for discussion.

   -u username
       Authenticate as username.  This option is useful only for testing
       (so that you can test your authentication system easily) and does
       not work when ckpasswd is run by nnrpd.  If this option is given,
       -p must also be given.


   See readers.conf(5) for examples of nnrpd(8) authentication
   configuration that uses ckpasswd to check passwords.

   An example PAM configuration for /etc/pam.conf that tells ckpasswd to
   check usernames and passwords against system accounts is:

       nnrpd auth    required
       nnrpd account required

   Your system may want you to instead create a file named nnrpd in
   /etc/pam.d with lines like:

       auth    required
       account required

   This is only the simplest configuration.  You may be able to include
   common shared files, and you may want to stack other modules, either to
   allow different authentication methods or to apply restrictions like
   lists of users who can't authenticate using ckpasswd.  The best guide
   is the documentation for your system and the other PAM configurations
   you're already using.

   To test to make sure that ckpasswd is working correctly, you can run it
   manually and then give it the username (prefixed with
   "ClientAuthname:") and password (prefixed with "ClientPassword:") on
   standard input.  For example:

       (echo 'ClientAuthname: test' ; echo 'ClientPassword: testing') \
           | ckpasswd -f /path/to/passwd/file

   will check a username of "test" and a password of "testing" against the
   username and passwords stored in /path/to/passwd/file.  On success,
   ckpasswd will print "User:test" and exit with status 0.  On failure, it
   will print some sort of error message and exit a non-zero status.


   Written by Russ Allbery <> for InterNetNews.

   $Id: ckpasswd.pod 9937 2015-09-02 12:44:39Z iulius $


   crypt(3), nnrpd(8), pam(7), readers.conf(5).


Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.

Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.

Free Software

Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.

Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.

Free Books

The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.

Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.


Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.

Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.