Send inn-workers mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."
Today's Topics:
1. Re: INN2 user authentication against system users (The Doctor)
2. RE: INN2 user authentication against system users (Julien ?LIE)
3. Re: INN2 user authentication against system users (Russ Allbery)
4. Re: INN2 user authentication against system users (Kevin Shell)
5. Re: INN2 user authentication against system users (Russ Allbery)
6. Re: INN2 user authentication against system users (Kevin Shell)
----------------------------------------------------------------------
Message: 1
Date: Thu, 11 Feb 2021 07:46:33 -0700
From: The Doctor <[email protected]>
To: [email protected]
Subject: Re: INN2 user authentication against system users
Message-ID: <YCVDSdHU7ucpgG/[email protected]>
Content-Type: text/plain; charset=us-ascii
On Thu, Feb 11, 2021 at 04:27:35PM +0800, Kevin Shell wrote:
> Hello INN2 list.
> I'm a INN2 newbie user. :-)
>
> I've setup INN2 on my VPS server with nnrpd nntps(563) port,
> ckpasswd authenticating against a plain text file database,
> my readers.conf fraction reads:
>
> auth "aname" {
> require_ssl: true
> ### format [email protected]:passwd_hash
> auth: "ckpasswd -f /etc/news/newsusers"
> }
>
> access "aname" {
> users: "*"
> newsgroups: "*"
> access: RPA
> }
>
> I've successfully authenticate against the newsusers file,
> I tried to authenticate against system users but no success.
> I don't want to maintain a seperate set of news users,
> how do I do authentication against the system users,
> like /etc/passwd and /etc/shadow?
>
> The readers.conf man page is complicated, I don't quite understand.
> Glad to get some example configulation. :-)
>
That too would be nice. What I have done
is to use VPN and that the user has access to INN.
> --
> kevin
> _______________________________________________
> inn-workers mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/inn-workers
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b
NFLD on 13 Feb vote Liberal !
------------------------------
Message: 2
Date: Thu, 11 Feb 2021 16:21:46 +0000
From: Julien ?LIE <[email protected]>
To: Kevin Shell <[email protected]>, "[email protected]"
<[email protected]>
Subject: RE: INN2 user authentication against system users
Message-ID: <[email protected]>
Content-Type: text/plain; charset="iso-8859-1"
Hi Kevin,
> I've successfully authenticate against the newsusers file,
> I tried to authenticate against system users but no success.
> I don't want to maintain a seperate set of news users,
> how do I do authentication against the system users,
> like /etc/passwd and /etc/shadow?
Wouldn't "ckpasswd -s" be what you are looking for?
> The readers.conf man page is complicated, I don't quite understand.
> Glad to get some example configulation. :-)
It is one of the most complicated page indeed!
Which part of the EXAMPLES section at the end of the man page would you like to
emphasize more?
https://www.eyrie.org/~eagle/software/inn/docs/readers.conf.html
"ckpasswd -s" is notably in 2 examples, but maybe the description is not clear
enough?
I would be happy to take into account your suggestions.
--
Julien ?LIE
------------------------------
Message: 3
Date: Thu, 11 Feb 2021 09:49:19 -0800
From: Russ Allbery <[email protected]>
To: [email protected]
Subject: Re: INN2 user authentication against system users
Message-ID: <[email protected]>
Content-Type: text/plain
Kevin Shell <[email protected]> writes:
> I've successfully authenticate against the newsusers file,
> I tried to authenticate against system users but no success.
> I don't want to maintain a seperate set of news users,
> how do I do authentication against the system users,
> like /etc/passwd and /etc/shadow?
Just using ckpasswd without any other options will tell ckpasswd to invoke
PAM to verify the password. PAM will, in turn, check authentication
against the normal system authentication files (as configured by your
regular PAM configuration). It claims to be the application "nnrpd".
You may need to install a (simple) PAM configuration as documented in the
ckpasswd man page, although I think most systems provide a sensible
default.
You probably want to go through PAM rather than using ckpasswd -s because
PAM will generally use a setgid helper program to allow it to read
/etc/shadow without you having to do special configuration.
--
Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.
------------------------------
Message: 4
Date: Fri, 12 Feb 2021 09:07:34 +0800
From: Kevin Shell <[email protected]>
To: [email protected]
Subject: Re: INN2 user authentication against system users
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
On Thu, Feb 11, 2021 at 09:49:19AM -0800, Russ Allbery wrote:
>
> Just using ckpasswd without any other options will tell ckpasswd to invoke
> PAM to verify the password. PAM will, in turn, check authentication
> against the normal system authentication files (as configured by your
> regular PAM configuration). It claims to be the application "nnrpd".
>
> You may need to install a (simple) PAM configuration as documented in the
> ckpasswd man page, although I think most systems provide a sensible
> default.
>
> You probably want to go through PAM rather than using ckpasswd -s because
> PAM will generally use a setgid helper program to allow it to read
> /etc/shadow without you having to do special configuration.
>
quote from man 8 ckpasswd
Most systems require special privileges to call getspnam(3), so in order
to use this option you may need to make ckpasswd setgid to some group
(like group "shadow") or even setuid root. ckpasswd has not been
specifically audited for such uses! It is, however, a very small
program that you should be able to check by hand for security.
I follow the man page and change the ckpasswd binary setgid to shadow
it works, but man pages don't encourage the usage "ckpasswd -s".
Is it safe to use?
Maybe I have to fallback to
just the original usage "ckpasswd -f /etc/news/newsusers"
--
kevin
------------------------------
Message: 5
Date: Thu, 11 Feb 2021 17:11:15 -0800
From: Russ Allbery <[email protected]>
To: [email protected]
Subject: Re: INN2 user authentication against system users
Message-ID: <[email protected]>
Content-Type: text/plain
Kevin Shell <[email protected]> writes:
> On Thu, Feb 11, 2021 at 09:49:19AM -0800, Russ Allbery wrote:
>> Just using ckpasswd without any other options will tell ckpasswd to
>> invoke PAM to verify the password. PAM will, in turn, check
>> authentication against the normal system authentication files (as
>> configured by your regular PAM configuration). It claims to be the
>> application "nnrpd".
>> You may need to install a (simple) PAM configuration as documented in
>> the ckpasswd man page, although I think most systems provide a sensible
>> default.
>> You probably want to go through PAM rather than using ckpasswd -s
>> because PAM will generally use a setgid helper program to allow it to
>> read /etc/shadow without you having to do special configuration.
> quote from man 8 ckpasswd
> Most systems require special privileges to call getspnam(3), so in
> order to use this option you may need to make ckpasswd setgid to
> some group (like group "shadow") or even setuid root. ckpasswd
> has not been specifically audited for such uses! It is, however,
> a very small program that you should be able to check by hand for
> security.
> I follow the man page and change the ckpasswd binary setgid to shadow
> it works, but man pages don't encourage the usage "ckpasswd -s".
Correct. I would encourage you to instead just use "ckpasswd" and drop
the -s flag and the setgid bit. It will probably just work.
> Is it safe to use?
> Maybe I have to fallback to
> just the original usage "ckpasswd -f /etc/news/newsusers"
You should try calling it without any arguments first. :)
--
Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.
------------------------------
Message: 6
Date: Fri, 12 Feb 2021 09:22:48 +0800
From: Kevin Shell <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Re: INN2 user authentication against system users
Message-ID: <[email protected]>
Content-Type: text/plain; charset=iso-8859-1
On Thu, Feb 11, 2021 at 04:21:46PM +0000, Julien ?LIE wrote:
> Hi Kevin,
>
Hallo Julien ?LIE. :-)
> > I've successfully authenticate against the newsusers file,
> > I tried to authenticate against system users but no success.
> > I don't want to maintain a seperate set of news users,
> > how do I do authentication against the system users,
> > like /etc/passwd and /etc/shadow?
>
> Wouldn't "ckpasswd -s" be what you are looking for?
>
I have to change ckpasswd to setgid shadow,
and i works on GNU/Linux, don't konow if it works for other OSes.
>
> > The readers.conf man page is complicated, I don't quite understand.
> > Glad to get some example configulation. :-)
>
> It is one of the most complicated page indeed!
>
indeed it is.
> Which part of the EXAMPLES section at the end of the man page would you like
> to emphasize more?
> https://www.eyrie.org/~eagle/software/inn/docs/readers.conf.html
>
> "ckpasswd -s" is notably in 2 examples, but maybe the description is not
> clear enough?
>
> I would be happy to take into account your suggestions.
>
I think just plain User/Password authentication over nntps should be easy. :-)
--
kevin
------------------------------
Subject: Digest Footer
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
------------------------------
End of inn-workers Digest, Vol 128, Issue 2
*******************************************
