1. Forum
  2. USENET
  3. news.software.nntp

  • INN2 set up user authentication via ckpasswd

    From Anonymous@anon@anon.anon to news.software.nntp on Sat Jul 12 17:25:36 2025
    From Newsgroup: news.software.nntp

    For latest version of INN2 in Debian stable.

    I think using ckpasswd is the most viable option for authentication since it is simple to add and remove users and it is a flat text file without database bugs and vulnerabilities.

    I need to prevent all non-authenticated users from posting to newsgroups and authenticate via ckpasswd.

    How do I configure INN2 so that I can add users with ckpasswd and force INN2 to authenticate via ckpasswd?

    If there is a better method I am all ears. Please don't suggest some 3rd party program that is not included in the Debian stable repos. Please don't suggest something that uses a database or some other attack surface generator. I'm not interested in complicated stuff like that.

    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Anonymous@anon@anon.anon to news.software.nntp on Sat Jul 12 20:31:58 2025
    From Newsgroup: news.software.nntp

    On Sat, 12 Jul 2025 17:25:36 -0500
    Anonymous <anon@anon.anon> wrote:

    For latest version of INN2 in Debian stable.

    I think using ckpasswd is the most viable option for authentication since it is simple to add and remove users and it is a flat text file without database bugs and vulnerabilities.

    I need to prevent all non-authenticated users from posting to newsgroups and authenticate via ckpasswd.

    How do I configure INN2 so that I can add users with ckpasswd and force INN2 to authenticate via ckpasswd?

    If there is a better method I am all ears. Please don't suggest some 3rd party program that is not included in the Debian stable repos. Please don't suggest something that uses a database or some other attack surface generator. I'm not interested in complicated stuff like that.


    I added this to readers.conf:

    auth: "/usr/lib/news/bin/auth/passwd/ckpasswd -f /etc/news/userdb"

    I created a test user and got auth failure.

    ~ htpasswd -nbd test test > /etc/news/userdb

    ~ chown news:news /etc/news/userdb

    ~ stat /etc/news/userdb
    File: /etc/news/userdb
    Size: 20 Blocks: 8 IO Block: 4096 regular file Device: 254,1 Inode: 257747 Links: 1
    Access: (0644/-rw-r--r--) Uid: ( 9/ news) Gid: ( 9/ news)

    ~ cat /etc/passwd | grep news
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

    In the telnet session:

    authinfo user test
    502 Authentication will fail
    authinfo pass test
    502 Authentication will fail

    What am I missing?

    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From =?UTF-8?Q?Julien_=C3=89LIE?=@iulius@nom-de-mon-site.com.invalid to news.software.nntp on Mon Jul 14 07:00:16 2025
    From Newsgroup: news.software.nntp

    Hi,

    I added this to readers.conf:

    auth: "/usr/lib/news/bin/auth/passwd/ckpasswd -f /etc/news/userdb"

    What is the whole contents of your readers.conf file?
    It needs at least something like:

    auth "users" {
    auth: "ckpasswd -f /etc/news/userdb"
    default: "<unauthenticated>"
    }

    access "authenticatedpeople" {
    users: "*"
    newsgroups: "*"
    }

    access "restrictive" {
    users: "<unauthenticated>"
    newsgroups: "!*"
    }

    See https://www.eyrie.org/~eagle/software/inn/docs/readers.conf.html
    The rights for authenticated people (and for unauthenticated people)
    have to be explained.


    I created a test user and got auth failure.

    Here, if you successfully authenticate with the "test" user, his
    assigned identity is "test" in the "users" keyword of access blocks.
    When authentication fails, the identity is "<unauthenticated>" (the
    default value of the auth block).


    ~ htpasswd -nbd test test > /etc/news/userdb

    More secure hashes are recommended, like ones obtained with:
    openssl passwd -5 test

    https://www.eyrie.org/~eagle/software/inn/docs/ckpasswd.html
    --
    Julien |eLIE

    -2-arCo Hou hou-a!
    rCo Ouille, ouille-a!
    rCo Ouf-a!
    rCo O|| ouf-a?-a-+ (Ast|-rix)

    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Anonymous@anon@anon.anon to news.software.nntp on Mon Jul 14 21:40:35 2025
    From Newsgroup: news.software.nntp

    On Mon, 14 Jul 2025 07:00:16 +0200
    Julien |eLIE <iulius@nom-de-mon-site.com.invalid> wrote:
    Hi,

    I added this to readers.conf:

    auth: "/usr/lib/news/bin/auth/passwd/ckpasswd -f /etc/news/userdb"

    What is the whole contents of your readers.conf file?
    It needs at least something like:

    auth "users" {
    auth: "ckpasswd -f /etc/news/userdb"
    default: "<unauthenticated>"
    }

    access "authenticatedpeople" {
    users: "*"
    newsgroups: "*"
    }

    access "restrictive" {
    users: "<unauthenticated>"
    newsgroups: "!*"
    }
    I pasted this into readers.conf, removing all other lines. I still get the message, "authentication will fail."

    See https://www.eyrie.org/~eagle/software/inn/docs/readers.conf.html
    The rights for authenticated people (and for unauthenticated people)
    have to be explained.
    It's not that I need an explanation of the rights--I need an explanation of configuration that will actually work. An example of a working configuration that is working in real life on an active install would be helpful.
    I created a test user and got auth failure.

    Here, if you successfully authenticate with the "test" user, his
    assigned identity is "test" in the "users" keyword of access blocks.
    When authentication fails, the identity is "<unauthenticated>" (the
    default value of the auth block).


    ~ htpasswd -nbd test test > /etc/news/userdb

    More secure hashes are recommended, like ones obtained with:
    openssl passwd -5 test

    https://www.eyrie.org/~eagle/software/inn/docs/ckpasswd.html
    My goals are simple:
    Nobody can post without having a entry in the user list. Only I can create such an entry. No PAM, no shadows, just a list of usernames and password hashes is all I want, so that INN2 will check against this list and deny access to any not included in the list.
    At this point, after looking at the documention, it appears there is not enough information to proceed. I have already spent an inordinate amount of time poking around and this is where I am stuck.
    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Anonymous@anon@anon.anon to news.software.nntp on Mon Jul 14 22:35:50 2025
    From Newsgroup: news.software.nntp

    Authentication works with the below configuration in readers.conf. Authentication also works with the commented lines uncommented. I suppose INN is choosing the first one that applies? Anyway I consider this issue mostly solved. Any pointers on a cleaner config would be appreciated.

    I needed to include the full path to ckpasswd as it is not in system path. I also needed to make sure I was entering into mode reader before authenticating.

    Thank you, Julien, for the help and the copious documentation. I will follow your advice for a more secure password hashing scheme. The default one does look rather weak.

    auth "foreignokay" {
    auth: "/usr/lib/news/bin/auth/passwd/ckpasswd -f /etc/news/userdb"
    default: "<unauthenticated>"
    }

    access "authenticatedpeople" {
    users: "*"
    newsgroups: "*"
    }

    # auth "users" {
    # auth: "/usr/lib/news/bin/auth/passwd/ckpasswd -f /etc/news/userdb"
    # default: "<unauthenticated>"
    # }

    access "restrictive" {
    users: "<unauthenticated>"
    newsgroups: "!*"
    }

    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From =?UTF-8?Q?Julien_=C3=89LIE?=@iulius@nom-de-mon-site.com.invalid to news.software.nntp on Wed Jul 16 07:09:43 2025
    From Newsgroup: news.software.nntp

    Hi,

    Authentication works with the below configuration in readers.conf.
    I suppose INN is choosing the first one that applies ?

    Glad to hear that!
    Both authentication and access blocks are checked from the *last* one in
    the readers.conf file to the first one (bottom up). As soon as one
    matches, the corresponding identity or access is assigned to the user.


    I needed to include the full path to ckpasswd as it is not in system path.

    Strange. There's normally no need in having the full path in system
    path as you seem to use the default one (/usr/lib/news/bin/auth/passwd)
    which is hard-coded in INN:

    tmp = concatpath(innconf->pathbin, INN_PATH_AUTHDIR);
    resdir = concatpath(tmp, INN_PATH_AUTHDIR_PASSWD);
    auth_external(&Client, command, resdir, username, password);


    I suppose pathbin in inn.conf is "/usr/lib/news/bin".
    Then the "auth" and "passwd" subdirectories are added to this path, and
    your ckpasswd program is started from there by default when no full path
    is given.


    I also needed to make sure I was entering into mode reader before authenticating.

    Ah, that was it!
    Indeed, you need being in reader mode. Sorry I did not spot that as I
    did not know the whole NNTP session. The greeting banner would have
    been of help.

    FWIW, authentication in transit mode is parametered in incoming.conf
    (see the password parameter) and applies to your peers.


    I will follow your advice for a more secure password hashing scheme.
    The default one does look rather weak.

    Yes.
    --
    Julien |eLIE

    -2-aMa femme pr|-tend que je n'|-coute jamais ce qu'elle ditrCa enfinrCa un truc
    comme |oa.-a-+ (Chevy Chase)

    --- Synchronet 3.21a-Linux NewsLink 1.2