Article <1057c6o$2c6pq$1@news.trigofacile.com>

Deutsch English Français Italiano
<1057c6o$2c6pq$1@news.trigofacile.com>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: nntp.eternal-september.org!news.eternal-september.org!eternal-september.org!feeder3.eternal-september.org!news.trigofacile.com!.POSTED.2001:861:3f81:7990:95b7:f0a6:26c4:d5b7!not-for-mail
From: =?UTF-8?Q?Julien_=C3=89LIE?= <iulius@nom-de-mon-site.com.invalid>
Newsgroups: news.software.nntp
Subject: Re: [solved] INN2 set up user authentication via ckpasswd
Date: Wed, 16 Jul 2025 07:09:43 +0200
Organization: Groupes francophones par TrigoFACILE
Message-ID: <1057c6o$2c6pq$1@news.trigofacile.com>
References: <104und1$2shgo$1@paganini.bofh.team>
 <104v2af$31t1u$1@paganini.bofh.team> <10522t1$28l4l$1@news.trigofacile.com>
 <1054f2u$3lfnu$1@paganini.bofh.team> <1054iah$3llei$1@paganini.bofh.team>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 16 Jul 2025 05:09:44 -0000 (UTC)
Injection-Info: news.trigofacile.com; posting-account="julien"; posting-host="2001:861:3f81:7990:95b7:f0a6:26c4:d5b7";
	logging-data="2497338"; mail-complaints-to="abuse@trigofacile.com"
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:CNlZ07YebHX4+TrqoeVTU8ZQ2N4= sha256:+XkIQQKf1+ny6htkq/WzEE7QpEpj/RWsDyPbA5cAKII=
	sha1:ALUiOqAnkTMvSGQ3EUjYa4n7vtw= sha256:3kR0Rjhw1wyCBFXtPUecIgk3UbyJYeUa329w63Twksc=
In-Reply-To: <1054iah$3llei$1@paganini.bofh.team>

Hi,

> Authentication works with the below configuration in readers.conf.
> I suppose INN is choosing the first one that applies ?

Glad to hear that!
Both authentication and access blocks are checked from the *last* one in 
the readers.conf file to the first one (bottom up).  As soon as one 
matches, the corresponding identity or access is assigned to the user.


> I needed to include the full path to ckpasswd as it is not in system path.

Strange.  There's normally no need in having the full path in system 
path as you seem to use the default one (/usr/lib/news/bin/auth/passwd) 
which is hard-coded in INN:

     tmp = concatpath(innconf->pathbin, INN_PATH_AUTHDIR);
     resdir = concatpath(tmp, INN_PATH_AUTHDIR_PASSWD);
     auth_external(&Client, command, resdir, username, password);


I suppose pathbin in inn.conf is "/usr/lib/news/bin".
Then the "auth" and "passwd" subdirectories are added to this path, and 
your ckpasswd program is started from there by default when no full path 
is given.


> I also needed to make sure I was entering into mode reader before authenticating.

Ah, that was it!
Indeed, you need being in reader mode.  Sorry I did not spot that as I 
did not know the whole NNTP session.  The greeting banner would have 
been of help.

FWIW, authentication in transit mode is parametered in incoming.conf 
(see the password parameter) and applies to your peers.


> I will follow your advice for a more secure password hashing scheme.
> The default one does look rather weak.

Yes.

-- 
Julien ÉLIE

« Ma femme prétend que je n'écoute jamais ce qu'elle dit… enfin… un truc
   comme ça. » (Chevy Chase)