Commit | Line | Data |
---|---|---|
d9898ee8 | 1 | <?xml version="1.0"?> |
b0322a85 | 2 | <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><title>userdbpw</title><link rel="stylesheet" type="text/css" href="style.css"/><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"/><link rel="home" href="#userdbpw" title="userdbpw"/><link xmlns="" rel="stylesheet" type="text/css" href="manpage.css"/><meta xmlns="" name="MSSmartTagsPreventParsing" content="TRUE"/><link xmlns="" rel="icon" href="icon.gif" type="image/gif"/><!-- |
d9898ee8 | 3 | |
b0322a85 | 4 | Copyright 1998 - 2009 Double Precision, Inc. See COPYING for distribution |
d9898ee8 | 5 | information. |
6 | ||
d50284c4 | 7 | --></head><body><div class="refentry"><a id="userdbpw" shape="rect"> </a><div class="titlepage"/><div class="refnamediv"><h2>Name</h2><p>userdbpw — create an encrypted password</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">userdbpw</code> [[-md5] | [-hmac-md5] | [-hmac-sha1]] | <br clear="none"/><code class="command">userdb</code> {<em class="replaceable"><code>name</code></em>} set {<em class="replaceable"><code>field</code></em>}</p></div></div><div class="refsect1"><a id="idm255237918656" shape="rect"> </a><h2>DESCRIPTION</h2><p><span class="command"><strong>userdbpw</strong></span> enables secure entry of encrypted |
8d138742 | 8 | passwords into <code class="filename">@userdb@</code>.</p><p><span class="command"><strong>userdbpw</strong></span> reads a single line of text on |
d9898ee8 | 9 | standard input, encrypts it, and prints the encrypted result to standard |
10 | output.</p><p>If standard input is attached to a terminal device, | |
8d138742 | 11 | <span class="command"><strong>userdbpw</strong></span> explicitly issues a "Password: " prompt on |
d9898ee8 | 12 | standard error, and turns off echo while the password is entered.</p><p>The <code class="option">-md5</code> option is available on systems that use |
13 | MD5-hashed passwords (such as systems that use the current version of the | |
14 | PAM library for authenticating, with MD5 passwords enabled). | |
15 | This option creates an MD5 password hash, instead of using the | |
16 | traditional <code class="function">crypt()</code> function.</p><p><code class="option">-hmac-md5</code> and <code class="option">-hmac-sha1</code> options | |
17 | are available only if the userdb library is installed by an application | |
18 | that uses a challenge/response authentication mechanism. | |
19 | <code class="option">-hmac-md5</code> creates an intermediate HMAC context using the | |
20 | MD5 hash function. <code class="option">-hmac-sha1</code> uses the SHA1 hash function | |
21 | instead. Whether either HMAC function is actually available depends on the | |
22 | actual application that installs the <code class="option">userdb</code> library.</p><p>Note that even though the result of HMAC hashing looks like an encrypted | |
23 | password, it's really not. HMAC-based challenge/response authentication | |
24 | mechanisms require the cleartext password to be available as cleartext. | |
25 | Computing an intermediate HMAC context does scramble the cleartext password, | |
26 | however if its compromised, it WILL be possible for an attacker to succesfully | |
27 | authenticate. Therefore, applications that use challenge/response | |
28 | authentication will store intermediate HMAC contexts in the "pw" fields in the | |
29 | userdb database, which will be compiled into the | |
30 | <code class="filename">userdbshadow.dat</code> | |
31 | database, which has group and world permissions turned off. The | |
32 | userdb library also requires that the cleartext userdb source for the | |
33 | <code class="filename">userdb.dat</code> and | |
34 | <code class="filename">userdbshadow.dat</code> databases is also stored with the | |
8d138742 CE |
35 | group and world permissions turned off.</p><p><span class="command"><strong>userdbpw</strong></span> is usually used together in a pipe with |
36 | <span class="command"><strong>userdb</strong></span>, which reads from standard input. For example:</p><div class="blockquote"><blockquote class="blockquote"><div class="informalexample"><pre class="programlisting" xml:space="preserve"><span class="command"><strong>userdbpw -md5 | userdb users/john set systempw</strong></span></pre></div></blockquote></div><p>or:</p><div class="blockquote"><blockquote class="blockquote"><div class="informalexample"><pre class="programlisting" xml:space="preserve"><span class="command"><strong>userdbpw -hmac-md5 | userdb users/john set hmac-md5pw</strong></span></pre></div></blockquote></div><p>These commands set the <code class="option">systempw</code> field in the record for | |
d9898ee8 | 37 | the user <code class="option">john</code> in <code class="filename">@userdb@/users</code> file, and the |
38 | <code class="option">hmac-md5pw</code> field. Don't forget to run | |
8d138742 CE |
39 | <span class="command"><strong>makeuserdb</strong></span> for the change to take effect.</p><p>The following command does the same thing:</p><div class="blockquote"><blockquote class="blockquote"><div class="informalexample"><pre class="programlisting" xml:space="preserve"><span class="command"><strong>userdb users/john set systempw=<code class="option">SECRETPASSWORD</code></strong></span></pre></div></blockquote></div><p>However, this command passes the secret password as an argument to the |
40 | <span class="command"><strong>userdb</strong></span> command, which can be viewed by anyone who happens | |
d9898ee8 | 41 | to run |
42 | <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> | |
8d138742 | 43 | at the same time. Using <span class="command"><strong>userdbpw</strong></span> allows the secret password |
d9898ee8 | 44 | to be specified in a way that cannot be easily viewed by |
d50284c4 | 45 | <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>.</p></div><div class="refsect1"><a id="idm255234211328" shape="rect"> </a><h2>SEE ALSO</h2><p> |
8d138742 | 46 | <a class="ulink" href="userdb.html" target="_top" shape="rect"><span class="citerefentry"><span class="refentrytitle">userdb</span>(8)</span></a>, |
d9898ee8 | 47 | |
8d138742 | 48 | <a class="ulink" href="makeuserdb.html" target="_top" shape="rect"><span class="citerefentry"><span class="refentrytitle">makeuserdb</span>(8)</span></a></p></div></div></body></html> |